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About This Guide 


This document describes how to create directories and files on a NetWare® 6.5 SP8 server, and to 
give users secure access to them. It discusses file system access control issues, such as file system 
trustees, trustee rights, inherited rights filters, and directory and file attributes for the Novell Storage 
Services (NSS) file system on Linux* and NetWare”, NetWare Core Protocol™ (NCP™) volumes 
on Linux, and the NetWare Traditional file system on NetWare. 





IMPORTANT: This book contains information for NetWare 6.5 SP8 and Novell Open Enterprise 
Server 2 SP1 Linux. For the latest information about using file systems on Linux, see the Novell 
Open Enterprise Server 2 SP2 Linux or later versions of the OES 2 SP2: File Systems Management 
Guide. 





For information about managing Linux POSIX file systems and access control lists, see “Access 
Control Lists in Linux” (http://www.novell.com/documentation/sles10/book_sle_reference/data/ 
cha_acls.html) in the SUSE Linux Enterprise Server 10 SP3 Installation and Administration Guide 
(http://www.novell.com/documentation/sles10/book_sle_reference/data/book_sle_reference.html). 


This guide is divided into the following sections: 
+ Chapter 1, “File Systems Overview,” on page 11 


Chapter 2, “What’s New for File System Management and Access,” on page 15 
+ Chapter 3, “Coexistence and Migration Issues,” on page 19 
+ Chapter 4, “Management Tools for Files and Folders Management,” on page 25 


+ Chapter 5, “Understanding Directory Structures for the NSS and NetWare Traditional File 
Systems,” on page 33 


+ Chapter 6, “Planning Directory Structures for NetWare Servers,” on page 39 


+ Chapter 7, “Managing Folders and Files on NSS and NetWare Traditional Volumes,” on 
page 45 


+ Chapter 8, “Understanding File System Access Control Using Trustees,” on page 67 


+ Chapter 9, “Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and 
Attributes,” on page 83 


+ Chapter 10, “Understanding Directory Structures in Linux POSIX File Systems,” on page 109 
Audience 


This guide is intended for network administrators and users. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comment feature at the bottom of each page of the 
online documentation, or go to www.novell.com/documentation/feedback.html (http:// 
www.novell.com/documentation/feedback.html) and enter your comments there. 


About This Guide 


Documentation Updates 


For the most recent version of the File Systems Management Guide, see the NetWare 6.5 SP8 
Documentation Web site (http://www.novell.com/documentation/nw65). 


Additional Documentation 


+ NW 6.5 SP8: NSS File System Administration Guide 
+ OES 2 SP2: NCP Server for Linux Administration Guide 


+ SUSE Linux Enterprise Server 10 SP3 Installation and Administration Guide (http:// 
www.novell.com/documentation/sles10/book_sle_reference/data/book_sle_reference.html) 


+ NW6.5 SP8: Traditional File System Administration Guide 

+ Novell Client 2.0 SP2 for Linux Administration Guide 

+ Novell Client 2 for Windows Vista/2008 Administration Guide 

+ Novell Client 4.91 SP5 for Windows XP/2003 Installation and Administration Guide 
+ NW 6.5 SP8: AFP, CIFS, and NFS (NFAP) Administration Guide 

+ OES 2 SP2: Novell AFP For Linux Administration Guide 

+ OES 2 SP2: Novell CIFS for Linux Administration Guide 

+ OES 2 SP2: Domain Services for Windows Administration Guide 

OES2 SP2: Samba Administration Guide 


+ 


Documentation Conventions 


In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and 
items in a cross-reference path. 


A trademark symbol ©. TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as Linux or UNIX*, should use forward slashes as required by your software. 
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File Systems Overview 


This section introduces the file systems supported in Novell® Open Enterprise Server 2. 


For an overview of file access protocols, see “File Services” in the NW 6.5 SP8: Planning and 
Implementation Guide. 


+ Section 1.1, “Novell Storage Services File System,” on page 11 
+ Section 1.2, “Linux POSIX File Systems,” on page 11 

+ Section 1.3, “NCP Volumes for Linux,” on page 12 

+ Section 1.4, “NetWare Traditional File System,” on page 12 

+ Section 1.5, “What’s Next,” on page 13 


1.1 Novell Storage Services File System 


Novell Open Enterprise Server 2 provides the Novell Storage Services™ (NSS) file system for both 
the NetWare® and Linux platforms. Its many features and capabilities include visibility, a trustee 
access control model, multiple simultaneous names pace support, native Unicode’, user and 
directory quotas, rich file attributes, multiple data stream support, event file lists, and a file salvage 
sub-system. These features can help you effectively manage your shared file storage for any size 
organization, scaling management of the system for even the largest of organizations with hundreds 
of thousands of employees. 


NSS volumes are cross-compatible between OES 2 platforms. You can migrate your existing NSS 
volumes from NetWare to OES 2 Linux. For information, see “Cross-Platform Issues for NSS 
Volumes” in the NW 6.5 SP8: NSS File System Administration Guide. 


Mixed-platform clusters are supported for temporary scenarios where you are converting a cluster 
from NetWare to Linux. In a mixed-platform cluster, NSS volumes that were created on NetWare 
can fail over between kernels, allowing for full data and file system feature preservation when 
converting clusters to Linux. However, you cannot SAN boot cross-platform. For information, see 
“Converting NetWare 6.5 Clusters to OES 2 Linux” in the OES 2 SP2: Novell Cluster Services 1.8.7 
for Linux Administration Guide. 


You can manage all storage management functions in the Web-based Novell iManager utility and 
the console-based NSS Management utility. NSS also supports third-party tools on both kernels for 
advanced data protection and management, virus scanning, and traditional archive and backup 
solutions. 


For information, see the NW 6.5 SP8: NSS File System Administration Guide 


1.2 Linux POSIX File Systems 


The OES 2 Linux platform supports a variety of Linux POSIX file systems. It requires a Linux 
POSIX file system, such as Ext3, XFS, or Reiser, for its system volume. The upper level of the 
kernel deals equally with these file systems through an abstract layer, the virtual file system (VFS). 
Some typical Linux POSIX file systems are described in Table 1-1: 
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Table 1-1 Linux POSIX File Systems 


Linux POSIX File System Description 


Second Extended File System Ext2 is a legacy file system with a solid reputation. It uses less memory 


(Ext2) than other options and is sometimes faster. Ext2 does not maintain a 
journal so it is not desirable to use it for any server that needs high 
availability. 

Third Extended File System Ext3 is a journaling file system that has the same data format and 

(Ext3) metadata format with its predecessor, Ext2. You can move from Ext2 to 


Ext3, and vice versa, without rebuilding your file system. It also offers 
options to coordinate its metadata journaling with data writes. 


Reiser File System (Reiser) Reiser supports metadata journaling, but does not include data 
journaling or ordered writes. Its disk space utilization, disk access 
performance, and crash recovery are better than Ext2. 


Journaled File System (JFS) JFS was developed by IBM to support high throughput server 
environments where performance is the ultimate goal. Because it is a 
full 64-bit file system, JFS supports both large files and partitions. It 
supports group commit of log entries for multiple concurrent operations, 
which improves journaling performance. It supports different directory 
organization for small and large directories and uses space efficiently. 


Extended File System (XFS) XFS is a high-performance 64-bit journaling file system. It is good at 
manipulating large files and performs well on high-end hardware. XFS 
takes great care of metadata integrity. It supports independent 
allocation groups that can be addressed concurrently by the system 
kernel, which suits the needs of multiprocessor systems. It preallocates 
free space on the device to reduce file system fragmentation. However, 
delayed writes can result in data loss if the system crashes. 


For more information, see “File Systems in Linux” (http://www.novell.com/documentation/sles10/ 
book_sle_reference/data/cha_filesystems.html) in the SUSE Linux Enterprise Server 10 SP3 
Installation and Administration Guide (http://www.novell.com/documentation/sles10/ 
book_sle_reference/data/book_sle_reference.html). 


File System Primer (http://wiki.novell.com/index.php/File_System_Primer) describes the variety of 
file systems available on Linux and which ones are the best to use for which workloads and data. 


1.3 NCP Volumes for Linux 


NCP™ Server for Linux enables you to create NCP volumes on top of Linux POSIX file systems 
such as Ext3 or Reiser file systems. This allows you to use the same method of file system trustees 
and trustee rights to control access to data on Linux POSIX file systems as you use on NSS volumes 
and NetWare Traditional volumes. 


For information, see OES 2 SP2: NCP Server for Linux Administration Guide. 


1.4 NetWare Traditional File System 


The NetWare Traditional file system provides legacy storage and file system management for 
Novell Open Enterprise Server 2 NetWare (same as NetWare 6.5 Support Pack 7). 
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You can optionally use NetWare Traditional volumes in combination with NSS volumes on NetWare 
when you are using the NCP protocol. However, if you are planning to implement Apple* Filing 
Protocol* (AFP), Network File System (NFS), or Common Internet File System (CIFS) for your 
NetWare server, you must use NSS for your system volume and for any data volumes that use any 
protocols other than NCP. For information, see the NW 6.5 SP8: AFP, CIFS, and NFS (NFAP) 
Administration Guide. 


For information, see the NW6.5 SP8: Traditional File System Administration Guide. 


1.5 What’s Next 


Continue with Chapter 3, “Coexistence and Migration Issues,” on page 19. 
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What’s New for File System 
Management and Access 


This section describes enhancements and additions for user file access services for NetWarel® 6.5 
SP8. 


+ Section 2.1, “What’s New (NetWare 6.5 SP8),” on page 15 
+ Section 2.2, “What’s New (NetWare 6.5 SP7),” on page 15 


2.1 What’s New (NetWare 6.5 SP8) 


The enhancements and changes described in this section were made to file systems management 
features for the NetWare 6.5 SP8 release. 


¢ Section 2.1.1, “Novell AFP for Linux,” on page 15 
¢ Section 2.1.2, “Novell CIFS for Linux,” on page 15 


¢ Section 2.1.3, “Novell Domain Services for Windows,” on page 15 


2.1.1 Novell AFP for Linux 


Novell AFP for Linux is available for accessing files on NSS volumes on OES 2 SP1 Linux. For 
information, see the OES 2 SP2: Novell AFP For Linux Administration Guide. 


2.1.2 Novell CIFS for Linux 


Novell CIFS for Linux is available for accessing files on NSS volumes on OES 2 SP1 Linux. For 
information, see the OES 2 SP2: Novell CIFS for Linux Administration Guide. 


2.1.3 Novell Domain Services for Windows 


Novell Domain Services for Windows is available for accessing files on NSS volumes on OES 2 
SPI Linux using the CIFS protocol. For information about installing and managing Domain 
Services for Windows, see the OES 2 SP2: Domain Services for Windows Administration Guide. 


2.2 What’s New (NetWare 6.5 SP7) 


The enhancements and changes described in this section were made to file system management 
features for the NetWare 6.5 SP7 release. 


+ Section 2.2.1, “Files and Folders Plug-In to Novell iManager 2.7,” on page 16 
+ Section 2.2.2, “Novell Client,” on page 16 
+ Section 2.2.3, “Samba Plug-In to Novell iManager 2.7,” on page 17 
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+ Section 2.2.4, “Novell Distributed File Services,” on page 17 


¢ Section 2.2.5, “Extended Attributes Support for Backing Up Trustee Information for NSS 
Volumes on Linux,” on page 17 


2.2.1 Files and Folders Plug-in to Novell iManager 2.7 


The Files and Folders plug-in to Novell iManager 2.7 provides folder (directory) and file 
management tasks for administrators and users. Selecting the View Objects icon in the iManager 
toolbar presents a file system tree-browsing view of volumes that have Volume objects in Novell 
eDirectory™. The Files and Folders role in the Roles and Tasks view provides a tasked-based view 
of file and folder management. The plug-in can be used to manage Novell Storage Services™ (NSS) 
volumes on OES 2 Linux and NetWare®, NSS and NetWare Traditional volumes on NetWare 6.5 
SP7, and NCP volumes on OES 2 Linux. 


The following tasks are available from either view (tree-browse or role-tasks). Features that apply 
only to a given file system are noted. 


+ Properties management for files and folders 


+ 


+ 


+ 


+ 


Trustees 
Trustee rights 
Inherited rights filters (IRF) 


View effective rights for a given trustee for a file, and view inherited rights filters along its 
full path 


File system attributes (only NSS volumes) 


Directory quotas (only for NSS volumes where the volume’s Directory Quotas attribute is 
enabled) 


File ownership 


+ Create and delete folders 


+ Upload and download files 


+ Salvage and purge deleted files and directories (only for NSS volumes where the volume's 
Salvage attribute is enabled) 


2.2.2 Novell Client 


See the following resources for the latest release of the Novell Client™, which provides NetWare 
Core Protocol™ (NCP™) access for users on Linux and Windows*. 


+ Novell Client 2.0 for Linux documentation Web site (http://www.novell.com/documentation/ 
linux_client/index.html) 


+ Novell Client for Windows Vista documentation Web site (http://www.novell.com/ 
documentation/vista_client/index.html) 


+ Novell Client 4.91 SP4 for Windows XP/2003 documentation Web site (http:// 
www.novell.com/documentation/noclienu/index.html) 
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2.2.3 Samba Plug-in to Novell iManager 2.7 


The Samba for Linux plug-in for Novell iManager 2.7 has been revamped to provide a more 
intuitive setup for Samba/CIFS users on your OES 2 Linux server. For information, see OE S2 SP2: 
Samba Administration Guide. 


2.2.4 Novell Distributed File Services 


For the OES 2 release, Novell Distributed File Services is now supported on OES 2 Linux in 
addition to NetWare. Replica sites for the DFS management context can run on Linux or NetWare, 
and can be clustered. You can create DFS junctions on NSS volumes on either platform and point 
the junction to target locations on NSS volumes and NCP volumes. 


The Distributed File Services plug-in for Novell iManager 2.7 is available to manage management 
contexts, replica sites, and junctions. You can set rights on junctions and on junction targets, and 
copy explicitly set trustees, trustee rights, and inherited rights filters between them. Inheritance of 
rights occurs independently for junction and the junction target locations, each relative to its own 
location. 


For information, see the NW 6.5 SP8: Novell Distributed File Services Administration Guide. 


2.2.5 Extended Attributes Support for Backing Up Trustee 
Information for NSS Volumes on Linux 
Extended Attributes (XAttr) support was added for backing up trustee information for NSS volumes 


on Linux. For information, see “Extended Attributes (XAttr) Commands (Linux)” in the NW 6.5 
SP8: NSS File System Administration Guide. 
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Coexistence and Migration Issues 


This section discusses the issues involved in the coexistence and migration of file systems in 
Novell® Open Enterprise Server 2. 

¢ Section 3.1, “Comparison of NSS to Other File Systems,” on page 19 

¢ Section 3.2, “Compatibility Issues for File System Rights on Linux,” on page 19 


+ Section 3.3, “NCP Server Directory and File-System Trustee Rights and Attributes,” on 
page 22 


+ Section 3.4, “Acquiring eDirectory Security Equivalence Vectors for NSS Users,” on page 23 
¢ Section 3.5, “Security Guidelines,” on page 23 


¢ Section 3.6, “Migrating NetWare Traditional Volumes to Linux,” on page 23 


3.1 Comparison of NSS to Other File Systems 


The following table lists sections in the NW 6.5 SP8: NSS File System Administration Guide that 
contain comparisons of the Novell Storage Services™ file system to other file systems in OES: 


Linux POSIX NetWare 
NSS on Linux File Systems Traditional File 
with NCP System 


NSS on 


Comparison NetWare® 


“Comparison of NSS on NetWare x x 
and NSS on Linux” 


“Comparison of NSS on Linux and X X 
NCP Volumes on Linux POSIX File 
Systems” 


"Comparison of NSS on NetWare X X 
and the NetWare Traditional File 
System” 


3.2 Compatibility Issues for File System Rights 
on Linux 


This section discusses the following issues for controlling access to files on Linux: 


+ Section 3.2.1, “Enforcing File System Rights on Linux,” on page 20 
+ Section 3.2.2, “Assigning File System Rights on Linux,” on page 21 
+ Section 3.2.3, “Key Considerations,” on page 22 
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3.2.1 Enforcing File System Rights on Linux 


File and directory access rights are enforced on Linux systems in different ways, depending on the 


following: 


+ User identity, such as Novell eDirectory™ users, Linux-enabled eDirectory users, and local- 


only users 


+ Access method, such as NCP™ Server, other protocols, or core Linux utilities. 


For information about core Linux utilities, see “Core Linux Utilities” on page 21. 


+ File system access control, such as NSS file and directory attributes 


Novell eDirectory Users 


The following table describes how file system access rights are enforced on Linux systems for 


eDirectory users: 


File System 


NSS on Linux 


Access via NCP Server for 
Linux 


NCP and NSS enforce 
access. 


For security reasons, soft 
links are not supported by 
NCP Server. Soft links are 
not accessible from NCP 
clients; users cannot see 
or access them. 


Access via Linux Protocols 
(such as NFS or Samba) 


NCP and NSS enforce 
access. 


eDirectory users must be 
Linux-enabled with Linux 
User Management. 


Access via Core Linux 
Utilities 


NCP and NSS enforce 
access. 


eDirectory users must be 
Linux-enabled with Linux 
User Management. 


Linux services need to be 
enabled for pluggable 
authentication modules 
(PAM) when you configure 
Linux User Management. 





NCP volumes on 
Linux POSIX file 
systems 


NCP enforces access. 


For security reasons, soft 
links are not supported by 
NCP Server. Soft links are 
not accessible from NCP 
clients; users cannot see 
or access them. 


NCP enforces access. 


eDirectory users must be 
Linux-enabled with Linux 
User Management. 


NCP enforces access. 


eDirectory users must be 
Linux-enabled with Linux 
User Management. 


Linux services need to be 
enabled for pluggable 
authentication modules 
(PAM) when you configure 
Linux User Management. 





Linux POSIX file 
systems 


eDirectory users have no 
access to files via NCP. 


20 NW6.5 SP8: File Systems Management Guide 


Linux ACLs and POSIX 
permissions are used to 
enforce access. 


Linux ACLs and POSIX 
permissions are used to 
enforce access. 


Local-Only Users 


The following table describes how file system access rights are enforced on Linux systems for 
locally defined users: 


File System 


NSS on Linux 


Access via NCP Server for 
Linux 


Restricted to the root 
user. 


Access via Other Protocols 


(such as NFS or Samba) 


Restricted to the root 
user. 


Access via Core Linux 
Utilities 


Restricted to the root 
user. 





NCP volumes on 
Linux POSIX 


Restricted to the root 
user. 


Restricted to the root 
user. 


Restricted to the root 
user. 





Linux POSIX file 
systems 


Local users have no 
access to files via NCP. 


Linux ACLs and POSIX 
permissions are used to 


Linux ACLs and POSIX 
permissions are used to 


enforce access. enforce access. 


Linux ACLs and POSIX 
permissions are used to 
enforce access. 


Core Linux Utilities 


Core Linux utilities are standard file services used to access files. 





IMPORTANT: To enable users of NSS volumes and NCP volumes to use the core Linux utilities, 
you must PAM-enable the utility with Linux User Management (LUM) and Linux-enable the users 
with LUM. For information, see OES 2 SP2: Novell Linux User Management Technology Guide. 





Core Linux utilities include the following: 


¢ Shell login 

+ Samba server 

+ File transfer protocol (ftp) 

+ Secure shell (ssh) 

+ Substitute user (su), which opens runs a shell as root (or superuser) 
+ Remote shell (rsh) 

+ Remote login (rlogin) 

+ X display manager (xdm) 


+ Open Web-based enterprise management (openwbem) 


3.2.2 Assigning File System Rights on Linux 


The following table identifies the management tools to use to assign Novell trustee-based file 
system rights on Linux. 





IMPORTANT: Only eDirectory users are eligible for file-system trustee rights. 
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NSS File System on Linux Linux POSIX File Systems 

















Management 
Tool NFS or Core Linux NFS or Core Linux 
NCP Samba Utilities NCE Samba Utilities 
NSS rights Yes Yes Yes Yes Not Not 
utility applicable applicable 
Novell Yes Yes Yes, for Not Not Not 
NetStorage NetStorage supportedby applicable applicable 
with SSH NetStorage 
support 
Novell Client" " Yes Not Not Yes Not Not 
for Windows applicable applicable applicable applicable 
XP/2003 and for 
Windows Vista 
Novell Clientfor Yes Not Not Yes Not Not 
Linux applicable applicable applicable applicable 
ConsoleOne® Yes No No Yes Not Not 


applicable applicable 


3.2.3 Key Considerations 


If you use core Linux utilities—with, or instead of, NCP Server for Linux—to control file access for 
eDirectory users on Linux: 


+ Make sure the core Linux utilities are PAM-enabled during Linux User Management (LUM) 
configuration. 


+ eDirectory users must be Linux-enabled to use the core Linux utilities. A Linux-enabled user is 
defined as a local user and as an eDirectory user. (Linux-enabled is also referred to as LUM- 
enabled.) 


Although NCP and NSS keep file system rights information separately, the information is 
synchronized between them. 


3.3 NCP Server Directory and File-System 
Trustee Rights and Attributes 


NCP Server for Linux provides the same file-system trustee rights for both NSS and Linux POSIX 
file systems. These are the same rights that exist for NSS and NetWare Traditional file systems on 
NetWare. The trustee rights include: 

+ Read 

+ Write 

+ Create 

+ Erase 

+ Modify 


+ File Scan 
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+ Access Control 


+ Supervisor 
For information, see Section 8.2, *File-System Trustee Rights,” on page 68. 


NCP Server supports all NSS file system attributes. For information about attributes, see 
Section 8.6, “Directory and File Attributes for NSS Volumes or NetWare Traditional Volumes,” on 
page 75. 


NCP volumes created on Linux POSIX file systems (such as Reiser, JFS, Ext3) support only the 
Read Only, Hidden, and Shareable attributes. 


3.4 Acquiring eDirectory Security Equivalence 
Vectors for NSS Users 


The Security Equivalence Vector (SEV) is calculated for each NSS user based on information in the 
user’s profile in Novell eDirectory. NSS validates the user’s SEV against the trustee rights of the 
directory and file the user is attempting to access. In OES, SEVs are acquired differently for NSS on 
NetWare and NSS on Linux. 


For NSS on NetWare, whenever a user connects to the NSS file system, NetWare retrieves the user’s 
SEV from eDirectory and maintains it as part of the connection structure for the user’s session. NSS 
automatically retrieves the user’s SEV from the connection structure. 


For NSS on Linux, whenever a user first connects to the NSS file system after reboot, NSS caches 
the SEV locally in the server memory, where it remains until the server is rebooted or unless the user 
is deleted from eDirectory. NSS polls eDirectory at a specified interval for updates to the SEVs that 
are in cache. Command line switches are available in the NSS Console utility (nsscon) to enable or 
disable the update, to set the update interval (5 minutes to 90 days), and to force an immediate 
update of security equivalence vectors. For information, see “Security Equivalence Vector Update 
Commands (Linux)” in the NW 6.5 SP8: NSS File System Administration Guide. 


3.5 Security Guidelines 


To install applications on your NSS or NetWare Traditional file system, you must be logged in as a 
trustee with the Create right of the directory where you will be installing the application. The 
Supervisor user of the server automatically has the Create right. 


3.6 Migrating NetWare Traditional Volumes to 
Linux 


For the initial release of OES Linux, you can migrate a NetWare Traditional File System volume 
from your NetWare server to a Linux server by first upgrading it to an NSS volume on OES 
NetWare, then moving the volume cross-platform to OES Linux. However, for OES SP1 and later, 
NSS volumes on NetWare have a format that is not supported cross-platform. For information, see 
“Upgrading the NSS Media Format” in the NW 6.5 SP8: NSS File System Administration Guide. 


To upgrade Traditional volumes for your OES NetWare server, see “Upgrading Legacy NSS and 
NetWare Traditional Volumes” in the NW 6.5 SP8: NSS File System Administration Guide. 
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For information about using NSS volumes cross-platform, see the following topics in the NW 6.5 
SP8: NSS File System Administration Guide: 


+ “Cross-Platform Issues for NSS Volumes” 
+ “Moving Non-Clustered Devices From NetWare Servers to OES 2 Linux Servers” 


+ “Moving Clustered Devices with NSS Volumes Cross-Platform” 
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Management Tools for Files and 
Folders Management 


This section identifies the various tools for managing files and folders Novell® Open Enterprise 
Server 2 system. 

¢ Section 4.1, “Novell iManager and the Files and Folders Plug-In,” on page 25 

+ Section 4.2, “Novell Remote Manager,” on page 28 

+ Section 4.3, “Novell NetStorage,” on page 31 

+ Section 4.4, “Novell Client,” on page 31 


4.1 Novell iManager and the Files and Folders 
Plug-In 
Novell iManager 2.7 is a Web browser-based tool used for configuring, managing, and 
administering Novell eDirectory™ objects on your network. 

+ Section 4.1.1, “Files and Folders Plug-In Quick Reference,” on page 25 

+ Section 4.1.2, “Accessing Novell iManager,” on page 27 

¢ Section 4.1.3, “Accessing Roles and Tasks in iManager,” on page 27 


¢ Section 4.1.4, “Selecting a File or Folder to Manage,” on page 27 


4.1.1 Files and Folders Plug-In Quick Reference 


The Files and Folders plug-in for iManager 2.7 contains the Files and Folders role for Linux and 
NetWare®. You must install the £ ilemanager .npm file in iManager. For information about 
installing NPM files for iManager, see the Novell iManager 2.7 Installation Guide. 


The Files and Folders plug-in for Novell iManager 2.7 provides the tasks described in this section. 


+ “Delete” on page 25 

+ “Deleted Files” on page 26 
+ “Download” on page 26 

+ *New Folder” on page 26 
+ “Properties” on page 26 

+ “Upload” on page 26 


Delete 


Delete a file or folder on an NSS volume or an NCP volume (NCP share on Ext3 or Reiser file 
systems) on Linux. 
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Deleted Files 


Salvage or purge deleted files. Salvage and purge of deleted files and directories is available only for 
NSS volumes where the volume’s Salvage attribute is enabled. Other NSS volume settings 
determine how long deleted files and directories are retained for salvage or purge actions. For 
information about configuring salvage and purge behavior for NSS volumes, see “Salvaging and 
Purging Deleted Volumes, Directories, and Files” in the NW 6.5 SP8: NSS File System 
Administration Guide. 


Download 

Select and download a file from an NSS volume or NCP volume to a specified location on your local 
drive or mapped network drive. 

New Folder 


Create a folder on an NSS volume or NCP volume. 


Properties 


Add, remove, or modify file system trustees, trustee rights, and file attributes settings for files and 
folders. 


Table 4-1 Properties Tasks 


Tab Task Description 
NetWare Info View information about a selected file or directory, such as: 


+ Current size 


+ Time stamps for when the file was created, modified, accessed, and 
archived 


+ File attributes 
View or modify the file owner. 


View or modify a directory quota. Directory quotas management is available 
only for NSS volumes where the volume's Directory Quotas attribute is 
enabled. 





NetWare Rights View, add, or remove file system trustees for a selected file or directory. 


View, grant, or revoke file system trustee rights for trustees of the selected file 
or directory. 


View or modify the inherited rights filter for a selected file or directory. 





Inherited Rights View or modify the inherited rights filters at every level of the path for a selected 
file or directory. 


View the effective rights for the selected file or directory. 


Upload 


Upload a specified file from your local drive or a mapped network drive to a specified location on an 
NSS volume or NCP volume. 
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4.1.2 Accessing Novell iManager 


1 Launch a Web browser. 


2 Click File > Open, then enter 
https://server-IP-address/nps/iManager.html 


The URL is case sensitive. Replace server-IP-address with the actual server DNS name or IP 
address. For example: 


https://192.168.1.1/nps/iManager.html 
The iManager Login page opens. 


3 Use your administrator username and password to log in to the Novell eDirectory™ tree that 
contains the server you want to manage. 


In Novell iManager, you can access only the roles and tasks you are authorized to manage. For 
full access to all available Novell iManager features, you must log in as Supervisor of the tree. 


4.1.3 Accessing Roles and Tasks in iManager 


1 Access iManager, then log in to the eDirectory tree where the server you want to manage 
resides. 


For information, see Section 4.1.2, “Accessing Novell iManager,” on page 27. 

2 In Roles and Tasks, Files and Folders to reveal its main tasks: 

+ Delete 

+ Deleted Files 

+ Download 

+ New Folder 

+ Properties 

+ Upload 
3 To activate the options on the selected page, select a file or folder to manage. 


For information, see Section 4.1.4, “Selecting a File or Folder to Manage,” on page 27. 


4.1.4 Selecting a File or Folder to Manage 


Before you can access the management options on a selected task page, you must select a file or 
folder to manage. It must be on a server that is in the same Novell eDirectory tree where you are 
currently logged in. 

1 Use one of the following methods to select a file or folder in the tree where you are logged in: 


+ Click the Search icon to open the eDirectory Object Selector. Browse or search the list to 
locate the file or folder you want to manage, then click the object's name link. 


+ Click the Object History icon to select a file or folder that you have recently managed. 


2 Wait for iManager to retrieve information about that file or folder and display the appropriate 
information to the task page you are in. 


It might take several seconds to retrieve the information, depending on the size and complexity 
of your storage solution. 
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4.2 Novell Remote Manager 


Novell Remote Manager (NRM) is a browser-based management utility for monitoring server 
health, changing the configuration of your server, or performing diagnostic and debugging tasks. 
NRM also allows you to create NSS pools and volumes and to manage some capabilities for NSS 
volumes on Linux and NetWare. 

¢ Section 4.2.1, “Prerequisites for Using Novell Remote Manager,” on page 28 

+ Section 4.2.2, “Novell Remote Manager for Linux,” on page 29 

+ Section 4.2.3, “Novell Remote Manager for NetWare,” on page 29 

+ Section 4.2.4, “Accessing Novell Remote Manager,” on page 30 


+ Section 4.2.5, “Starting, Stopping, or Restarting Novell Remote Manager on Linux,” on 
page 31 


4.2.1 Prerequisites for Using Novell Remote Manager 


+ “Prerequisites for Remote Administration” on page 28 
+ “Prerequisites for Admin User Access on Linux Servers” on page 28 


+ “Prerequisite for Admin User Access on NetWare Servers” on page 29 


Prerequisites for Remote Administration 
Your configuration must satisfy the following prerequisites: 
+ Make sure SSL 3.0 (where available) or SSL 2.0 is enabled in your Web browser. 


Novell Remote Manager requires an SSL connection between your Web browser and the target 
server where it is running. You must enable SSL services for your Web browser; otherwise, the 
browser displays an error when it tries to display the Novell Remote Manager Web pages later. 


+ Ports 8008 (insecure) and 8009 (secure) are the default ports used for accessing Novell Remote 
Manager. If you change the port number assigned to it, make sure you specify the same value 
for the port number when you log in. 


Prerequisites for Admin User Access on Linux Servers 


You can log into Novell Remote Manager for Linux as the root user or equivalent for the OES 
Linux server you are managing. 


You can alternately log in to Novell Remote Manager with your eDirectory credentials if you first 
enable Linux User Management (LUM) in your eDirectory tree and install and configure LUM on 
the target server. The Admin user or equivalent must be Linux-enabled and at least one of the 
following conditions must be met: 


+ The Admin user (or equivalent user) must be associated to the eDirectory group that has the 
Supervisor right for the Entry Rights property for the UNIX Workstation object in eDirectory. 


+ The Admin user (or equivalent user) must have the Supervisor right for the Entry Rights 
property to the NCP object that represents the Linux server in the eDirectory tree. 
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To tell if a user is Linux-enabled, go to iManager, select the User role, then select the user to see if 
the following is true: 


¢ The user has a Linux Profile tab on the Modify User page in iManager. 


¢ The user’s eDirectory object is associated with the UNIX Workstation object that represents the 
Linux server. 


For information about configuring Linux User Management and enabling users for Linux, see the 
OES 2 SP2: Novell Linux User Management Technology Guide. 


Prerequisite for Admin User Access on NetWare Servers 


To access all pages necessary to manage your server remotely, log in as a user with the Supervisor 
right to the Server object. Usually, this is the Admin user or a user with rights equivalent to the 
Admin user. 


4.2.2 Novell Remote Manager for Linux 


Novell Remote Manager for Linux allows you to browse NSS volumes on your Linux servers. It 
requires that the NCP™ Server and NCP Server plug-in for Novell Remote Manager be installed and 
running. 

Tasks 

The NCP Server plug-in supports the following tasks: 


+ Managing connections to NSS volumes and viewing open files for a connection. 


For information, see “Managing Connections for NCP Volumes and NSS Volumes” in the OES 
2 SP2: NCP Server for Linux Administration Guide. 


¢ Creating or managing shadow volumes with NSS volumes as the primary and secondary 
storage areas. 


For information, see the OES 2 SP2: Dynamic Storage Technology Administration Guide. 
Novell Remote Manager for Linux does not support the following tasks for NSS on Linux: 


¢ Configuring directory quotas 
+ Salvaging and purging deleted files and directories 
+ Configuring file system trustees and attributes for directories and files 


¢ Creating and managing partitions, pools, and volumes 


Additional Information 
For detailed information about NRM on Linux, see the OES 2 SP2: Novell Remote Manager for 
Linux Administration Guide. 


4.2.3 Novell Remote Manager for NetWare 


Novell Remote Manager for NetWare provides most of the functionality of the Monitor utility and 
other functionality from server-console-based utilities. It is the primary management tool for 
NetWare Traditional File System volumes. 
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Tasks 


Novell Remote Manager for NetWare supports the following tasks for managing NSS pools and 
volumes on NetWare servers: 


+ Configuring directory quotas. 


This requires that the Directory Quotas attribute be enabled on the NSS volume. For 
information, see “Managing Directory Quotas” in the NW 6.5 SP8: NSS File System 
Administration Guide. 


¢ Salvaging and purging deleted files and directories. 


This requires that the Salvage attribute be enabled on the NSS volume. For information, see 
“Salvaging and Purging Deleted Volumes, Directories, and Files” in the NW 6.5 SP8: NSS File 
System Administration Guide. 


¢ Configuring file system trustees, trustee rights, inherited rights filter, and file and folder 
attributes. For information, see “Viewing and Changing Trustee Assignments and Inherited 
Rights Filters” in the NW 6.5 SP8: Novell Remote Manager Administration Guide. 


¢ Creating and managing some aspects devices, partitions, pools, and volumes. 
For full management and feature support, use NSSMU and iManager to manage storage. 
+ Managing connections to NSS volumes and viewing open files for a connection. 


For information, see “Managing Connections to the Server” in the NW 6.5 SP8: Novell Remote 
Manager Administration Guide. 


Additional Information 


For detailed information, see the NW 6.5 SP8: Novell Remote Manager Administration Guide. 


4.2.4 Accessing Novell Remote Manager 


1 From your Web browser, enter one of the following: 
http://server-ip-address: 8008 
https://server-ip-address:8009 


Replace server-ip-address with the IP address of the server you want to manage. If you have 
Domain Name Services (DNS) installed on your network for server name-to-IP address 
resolution, you can optionally use the server’s DNS name instead of the IP address. 


2 Determine the authenticity of the SSL certificate, then accept it if the certificate is valid. 
3 When the Login page appears, do one of the following: 


+ Linux: Type the username and password of the root user for that server, or type the 
username and password of the Admin user (or equivalent user) who is an eDirectory user 
and who has been Linux-enabled. 


+ NetWare: Type the username and password of the Admin user or equivalent. 
4 Click OK to log in to the target server and initiate your SSL session. 


The management interface opens in your Web browser. After logging in, your SSL session for 
Novell Remote Manager remains open until you close all your browser windows at that 
workstation. 
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4.2.5 Starting, Stopping, or Restarting Novell Remote Manager 
on Linux 


Novell Remote Manager on Linux is installed and runs by default. If it hangs, you can use the /etc/ 
init.d/novell-httpstkd script to get status or to stop, start, or restart httpstkd. For the latest 
information about httpstkd, see “Starting or Stopping HTTPSTKD” in the OES 2 SP2: Novell 
Remote Manager for Linux Administration Guide. 


1 Open a terminal console, then log in as the root user. 


2 At the terminal console prompt, enter the command for the task you need to perform: 











Task Command 

Status renovell-httpstkd status 
Start renovell-httpstkd start 
Stop renovell-httpstkd stop 
Restart renovell-httpstkd restart 


4.3 Novell NetStorage 


To access NetStorage, launch your Web browser and open it to the following location: 
http://192.168.1.1/oneNet/netstorage 


Replace 192.168.1.1 with the actual DNS name or IP address of your NetStorage server or the IP 
address for Apache-based services. If Apache-based services use a port other than 80, you must also 
specify that port number with the URL. For example, if the port number is 51080, the URL would 
be in the form 


http: //192.168.1.1:51080/oneNet/netstorage 


The date and time on the workstation being used to access NetStorage should be reasonably close 
(within a few hours) to the date and time on the server running NetStorage to avoid conflicts. 


NetStorage uses Novell eDirectory™ for authentication. Log in with your administrator username 
and password to manage file system access for directories and files on NSS volumes. You can also 
log in as any username with equivalent rights to the administrator. This limitation does not apply if 
you have created a Storage Location object using SSH (Secure Shell). 


NOTE: Viewing or changing directory and file attributes and rights using NetStorage is only 
possible using a browser. This functionality is not available using Microsoft Web Folders. 





4.4 Novell Client 


In combination with NCP Server on your OES Linux or NetWare server, the Novell Client™ 
supports the following: 


+ Management of file system trustees, trustee rights, and inherited rights filters for directories 
and files on NSS volumes 


+ Purge and salvage of deleted files on NSS volumes, if the volume is configured to support it 
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+ Drive mapping for NSS volumes 


+ Login scripts for automatic drive mapping on login 
For information, see the following: 


+ Novell Client 2.0 SP2 for Linux Administration Guide 
+ Novell Client 2 for Windows Vista/2008 Administration Guide 
+ Novell Client 4.91 SP5 for Windows XP/2003 Installation and Administration Guide 
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Understanding Directory 
Structures for the NSS and 
NetWare Traditional File Systems 


This section describes the following key concepts for the Novell® Storage Services™ (NSS) File 
System and the legacy NetWare® Traditional file system for Novell Open Enterprise Server (OES) 2 
and NetWare 6.5 SP8: 


¢ Section 5.1, “Directory Structures,” on page 33 

¢ Section 5.2, “Directory Path,” on page 34 

¢ Section 5.3, “Root Directory,” on page 35 

¢ Section 5.4, “Fake Root Directory,” on page 35 

+ Section 5.5, “Directory Map Objects,” on page 35 
+ Section 5.6, “Drive Map,” on page 36 


5.1 Directory Structures 


The NSS and Traditional file systems provide a uniform method of referring to directories and files 
and locating them on a variety of storage media. As with your office filing system, you must impose 
organization on data you store in a volume. Within each volume, you can group information in 
logical containers called folders or directories. 


A directory is a logical separation within a volume where you store files and subordinate directories, 
called subdirectories. The directory is a special type of file that contains a list of its files and 
subdirectories. It can also contain metadata about the directory, such as who can access it and its 
attributes. For NetWare Traditional, the directory’s metadata is stored in a Directory Entry Table 
(DET), separate from the directory itself. 


A file is the basic logical container for storing information, such as an image, a document, a 
program, text, or a database. 


Within each volume, the directory structure is hierarchical. It is an inverted tree structure with a 
single root. The topmost directory in the hierarchy is called the root directory. A directory is called 
the parent directory of the subdirectories and files in it. A volume can contain any number of 
directories. A directory can contain any number of files and subdirectories. 


The following figure illustrates how volumes are similar to drawers in an office filing cabinet that 
contain related information. For example, the sys: volume on NetWare contains the operating 
system and its extensions. Other volumes might contain applications, corporate data, or user home 
directories and files. 
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Figure 5-1 Sample Directory Structure for NSS and Traditional File Systems on a NetWare Server 
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There is no one best solution for organizing files with directories. You can use a combination of 
approaches, such as by geographic location, applications, business units, projects, or owners. For 
information, see “Planning Directory Structures for NetWare Servers” on page 39. 


To control who can access directories and files on your NSS and Traditional NetWare file systems, 
you must assign file system trustees, trustee rights, and inherited rights filters. For information, see 
Section 8.2, “File-System Trustee Rights,” on page 68. 


To control how authenticated users can use directories and files, you must set directory and file 
attributes. For information, see: 


+ Section 8.6, “Directory and File Attributes for NSS Volumes or NetWare Traditional Volumes,” 
on page 75 

¢ Section 8.7, “Displaying Key NSS Directory and File Attributes as Linux POSIX 
Permissions,” on page 77 


5.2 Directory Path 


A directory or file is located by its path, which states where the directory or file is logically located 
in a volume. A path includes the volume, directory, and any subdirectories leading to the file. The 
following figure shows how to specify a full path. Listing the server is optional. It is usually 
excluded when specifying a path relative to the server where you are logged in. The slash after the 
colon is required in some interfaces and optional in others. Refer to the interface’s documentation to 
determine if a colon and slash combination (: \) is required to separate a volume and directory. 


Figure 5-2 Directory Path Conventions 


Separate volume and directory 
with a colon (:) and slash (\). 





Separate all others with a slash (\). 
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If your network uses multiple server or client operating systems or multiple file systems, keep in 
mind the conventions of the different file systems, such as delimiters, path length, and case 
sensitivity. For example, the NSS and Traditional file systems on NetWare use backslashes as 
delimiters and are case insensitive, while file systems native to Linux and UNIX use forward slashes 
and are case sensitive. As another example, NetWare allows 255 characters in a directory path 
(counting the drive letter and delimiters), but DOS allows only 127 characters. For more 
information, check the application’s documentation. 


5.3 Root Directory 


The root directory is the base directory in the volume. The root directory of a volume typically 
contains only directories. 


Storing files at this level is possible, but it can be a security risk. Granting file-system trustee rights 
to files at the root of the volume necessitates granting rights to the entire volume. For information 
about trustee rights, see “Understanding File System Access Control Using Trustees” on page 67. 


To avoid this security risk, create Fake Roots for applications that want to write files to the root 
directory. For information, see Section 5.4, “Fake Root Directory,” on page 35. 


5.4 Fake Root Directory 


A fake root is a directory in a volume that functions as a root directory for a specific software 
application. 


Some applications require their executable files to be located in a root directory. However, for 
security, you should not grant users rights to files at the root of the volume. 


NetWare allows you to map a directory as a network drive that serves as a fake root directory, using 
the map root command. This allows you to install an application in a directory and assign rights for 
it at that directory level. For information, see Section 7.12, “Creating a Fake Root Directory with the 
Map Root Command,” on page 60. 


Fake roots work with the NetWare DOS Requester, with NetWare shells, and with clients, including 
Windows* 98/ME and Windows 2000/XP/2003. Fake roots do not work for IBM* OS/2* clients. 
(Under OS/2, all mapped drives are roots, and search drives do not exist.) 


For Windows NT*/2000/XP workstations that use Novell Client™ login scripts, a map command in 
the login script automatically enables a mapped NetWare subdirectory as a fake root directory. For 
information about disabling this behavior, see Section 7.13, “Disabling the Default Use of Map as 
Map Root in Login Scripts,” on page 61. 


5.5 Directory Map Objects 


In Novell eDirectory™, the Directory Map object is a pointer to a path in the NetWare server file 
system that represents a particular directory in the file system. It allows you to make simpler 
references to directories by using a Directory Map object in your login scripts instead of the fixed 
path. Directory Map objects are available only for NetWare NSS and Traditional volumes. 


For instructions, see Section 7.14, “Creating and Configuring a Directory Map Object,” on page 61. 


Understanding Directory Structures for the NSS and NetWare Traditional File Systems 


35 


Using a Directory Map Object 


Directory Map objects can be especially useful in Novell Client login scripts to point to directories 
that contain applications or other frequently used files. In Novell Client login scripts, you can map a 
drive to a Directory Map object instead of to the directory. If the application’s location in the 
directory structure changes, you can update the path in the Directory Map object instead of changing 
the related drive maps in numerous login scripts. For information about map command options, see 
“Using Login Scripts” in the Novell Login Scripts Guide. 


For example, suppose a word processing application resides in a directory called 
appsvol:wpappsioo10. You map a network-search drive to that directory in login scripts you 
create for users. 


Later, you upgrade the word processing application and rename its directory from 
appsvol:wpappsioo10 to appsvol:wpappsioo11. You must modify the path in the network 
drive map in every login script where that network-search map appears. 


If you map the directory path to a Directory Map object instead of a network-search drive, you can 
avoid tedious modifications of the login scripts. Use the eDirectory plug-in for Novell iManager to 
create a Directory Map object. For example, create a Directory Map object called default wpapp, 
for appsvol:wpapps\oo11. Place a map command in your login scripts that map a search drive to 

the Directory Map object, rather than to the specific directory. For example: 


map ins s2:=.default_wpapp.dept.domain_us 


When users log in, their network-search drive is mapped to the default wpapp Directory Map 
object, which, in turn, points to appsvol:wpappsNoo11. 


Later, if you install a yet another default word processor and change the directory’s name to 
appsvol :wpapps |superwp, you need to change only the directory path in the default wpapp 
Directory Map object. You do not need to change the map command in the login script because the 
map command still indicates the correct Directory Map object. 


Additional Information 


For information, see “Object Classes and Properties” in the Novell eDirectory 8.8 Administration 
Guide. 


5.6 Drive Map 


A drive map is a pointer to a location in your local or network file system. The map assigns a local 
drive letter to a directory path on a volume where you have access rights. The directory path 
includes the volume, directory, and any subdirectories leading to the file. The local drive letter can 
be used instead of the complete path name. 


Drive maps can be permanent or temporary: 


+ Permanent Map: To map a drive so you can use it every time you log in, place a map 
command in your Novell Client login script, or use the mapping functionality of your client 
operating system and enable it to reconnect at login. The network drive is remapped every time 
you log in. 
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+ Temporary Map: To map a drive so you can use it only during your current session, use the 
Novell Map Network Drive option in the Novell Client, use the NetWare map command from a 
system prompt, or use the mapping functionality of your client operating system. The network 
drive map is valid only until you log out. 


NetWare recognizes three types of drive mappings: 


+ Local Drive Maps 
+ Network Drive Maps 
+ Network-Search Drive Maps 


For information about how to use the NetWare map command, see the following: 


+ “MAP” in the NW 6.5 SP8: Utilities Reference. 
+ “Using Login Scripts” in the Novell Login Scripts Guide. 


5.6.1 Local Drive Maps 


You create local drive maps to establish directory paths to local storage media such as your 
workstation disk drives, CD drives, Zip* drives, USB drives, and floppy disk drives. 


Typically, the lastdrive command in your DOS configuration settings on a Windows computer is 
set to end with drive E: (lastdrive=e), or with the last drive specification in use on your system. 
Typically, drives c: through E: are used for local drives, but you can assign more drive letters, if 
needed, by modifying the lastdrive command. 








To change this default, use a text editor to add or modify the DOS lastdrive command in your 
workstation config.sys file. For example: 


lastdrive=Z 


5.6.2 Network Drive Maps 


Network drive maps point to volumes and directories on the network where you have access rights. 
Typically, drives F: through Z: are used for network drive maps on your Windows computer. Each 
user can map drive letters to different directories. 


5.6.3 Network-Search Drive Maps 


Network-search drive maps point to directories that contain frequently used files such as 
applications files. This map enables the system to locate an application file even if it is not located in 
the directory where you are working. 


Network-search drive maps are numbered, although they also have drive letters. For example, a 
network-search drive 1 (or s1) can also be known as network drive Z:. 


You can map up to 16 network-search drives, beginning with drive letter z: (s1) and moving 
backwards through the alphabet to K: (s16). You cannot map a network-search drive and a regular 
network drive to the same drive letter. 


If you request a file that the system cannot find in your current directory, the system looks in every 
directory where a network-search drive is mapped. The system searches, following the numerical 
order of the search drives, until the program file is found or cannot be located. 
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Network-search drive maps are not supported on IBM OS/2 workstations. The search functionality 
is provided with the OS/2 path, libpath, and dpath commands in the config. sys file. 
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Planning Directory Structures for 
NetWare Servers 


This section presents a simple example of directory structures to help you organize data in the 
Novell® Storage Services™ (NSS) File System and the legacy NetWare® Traditional file system for 
Novell Open Enterprise Server 2 NetWare, NetWare 6.5 SP7, and later versions. Based on the 
example and the accompanying information, you can begin to design a directory hierarchy suitable 
to your own needs. 





IMPORTANT: For file systems on NetWare, we recommend that you create separate volumes for 
applications and user data, reserving the sys: volume for the operating system and its extensions. 





¢ Section 6.1, “Organizing Directory Structures Based on Access Requirements,” on page 39 
+ Section 6.2, “Managing Directory Structures for Network Applications,” on page 40 

+ Section 6.3, “Designing Application Directory Structures,” on page 40 

+ Section 6.4, “Designing Data Directory Structures,” on page 42 


¢ Section 6.5, “Designing Home or User Directory Structures,” on page 42 


6.1 Organizing Directory Structures Based on 
Access Requirements 


Security is one of the most important aspects of file system organization. File system trustees and 
trustee rights specify who can access different directories and files. File system directory and file 
attributes specify what authenticated users can do with the file, such as being able to merely read a 
file or to modify it. 


Organizing the Directory Structure 


Organize directories and files according to who needs access to them. In other words, use the 
directory structure to reflect access requirements. 


For example, you can structure the hierarchy of directories in such a way as to take advantage of the 
inheritance aspect of rights. Associate file system trustees and trustee rights with volumes, 
directories, and files as a safeguard against deletion or modification by users. Specify directory and 
file attributes to control what users can do. 

Grouping the User Community 


Group the user community based on each user’s access requirements. 


Users grouped by role (relative to file access) can be assigned ownership of directories and files, and 
users whose roles vary can be assigned rights on the basis of equivalence. 


Users needing a particular kind of access to certain directories and files can be grouped so that 
appropriate access belongs to the group (and consequently, to each member). 
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6.2 Managing Directory Structures for Network 
Applications 


You can install various types of network applications, such as word processing or spreadsheet 
programs, to make them available to users. When installing applications, keep the following in 
mind: 


¢ To install applications on your NSS or Traditional file system, you must be a Trustee with the 
Create right for the directory where you will be installing the application. The Supervisor user 
of the server automatically has this file-system trustee right. 


¢ Follow the instructions in the application’s documentation for installing the application onto a 
network. Make sure the application is designed for network (multiuser) use. 


+ When creating application directories, consider issues related to ease of distribution, 
installation, and operational control for network applications. 


¢ Ifthe application requires that it be installed at the root of a volume, but you would rather 
install it in a subdirectory for security reasons, you can map the directory to a fake root. 


For information, see Section 5.4, “Fake Root Directory,” on page 35. 
¢ After you install the application: 


+ Designate Novell eDirectory organization, role, and user objects as file system Trustees 
for the application directory and its contents. 


+ Assign access rights for each trustee. 
+ Configure attributes for the directory and its files. 


For information, see “Configuring File System Trustees, Trustee Rights, Inherited Rights 
Filters, and Attributes” on page 83. 


¢ To allow users to access network-based applications, map search drives to the directories that 
contain these applications. For information, see “Network-Search Drive Maps” on page 37. 


To make the mapped search drives permanent, place them in login scripts, which are executed 
when users log in. For information, see the Novell Login Scripts Guide. 


+ You can create a Directory Map object that points to an application directory. 


Directory Map objects are useful in login scripts. Instead of mapping a drive to a specific 
directory path, you map a drive to a Directory Map object that points to a directory. 


If you change the directory path, you need to change only the Directory Map object’s 
definition. 

+ Ifyou install the application in the sys: \public directory, it is not necessary to make file 
system Trustee assignments or map a search drive. Because users generally have Read and File 
Scan rights in sys: public, users can see and use all applications installed there. Use this 
directory structure only if you want all users to have access to all applications. 


6.3 Designing Application Directory Structures 


Application directories are storage areas where you install applications for convenient network 
access by groups, users, and other applications. You can install a variety of network applications, 
such as word processing or spreadsheet programs, and make them available to users. 
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For ease of management, create a separate volume for your applications and store applications in 
different directories. Mixing NetWare utilities with application program files complicates the file 
structure when you upgrade a network. An application file might have the same filename as a 
NetWare utility file or another application’s program file. If filenames are the same, one file 
overwrites the other because two files with the same filename cannot coexist in a directory. 


Keep program files separate from data files to simplify application management. For example, 
program files seldom change, but user data changes frequently. By creating a separate application 
volume and data volume, you can back up program files separately from a data files. Frequent 
network backup can then focus only on data directories, with application volumes being backed up 
as needed. Creating data directories for shared data files allows single-point backup and 
management of shared files. 


This section describes the following examples of application directory structures: 


+ Application Volume with Separate Application Directories Off Its Root 
+ Sys: Volume with a Parent Application Directory Off Its Root 

+ Sys: Volume with Separate Application Directories Off Its Root 

+ Sys:public Directory with a Parent Application Directory 


6.3.1 Application Volume with Separate Application Directories 
Off Its Root 


Create a separate volume for applications. Create a separate directory for each application off the 
root of the application volume, as shown in the following example. 


Figure 6-1 Application Volume with Separate Application Directories Off Its Root 


SYSTEM 
PUBLIC 
LOGIN 
MAIL 


WORDPROC 
DBAPP 
SPRDSHT 







NetWare server 


APPSVOL 


6.3.2 Sys: Volume with a Parent Application Directory Off Its 
Root 

In the sys: volume, create a parent application directory at the root. Create a separate directory for 
each application in the parent application directory, as shown in the following example. 


Figure 6-2 Sys: Volume with a Parent Application Directory Off Its Root 
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6.3.3 Sys: Volume with Separate Application Directories Off Its 
Root 


In the sys: volume, create a separate directory for each application at the root of the volume, as 
shown in the following example. 


Figure 6-3 Sys: Volume with Separate Application Directories Off Its Root 
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6.3.4 Sys:public Directory with a Parent Application Directory 


Because users generally have Read and File Scan rights in sys: \public, users can see and use all 
applications installed in it. Use this directory structure only if you want all users to have access to all 
applications. 


We do not recommend installing applications in the sys: \public directory. If you decide to use the 
sys: public directory, create a parent directory for applications in sys: \public, as shown in the 
following example. 


Figure 6-4 Sys:public Directory with a Parent Application Directory 
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6.4 Designing Data Directory Structures 


Data directories are storage areas where groups and users store work files and databases. Data 
directories allow users to share data, create work directories, and make Trustee assignments for 
groups or users who need access to these directories. You can also create a directory to transfer files 
between directories on the network. 


For ease of management, create a separate volume for your data and store different types of data in 
different directories. 


6.5 Designing Home or User Directory 
Structures 


To provide personal workspace for users, create a separate home or user volume and create a 
subdirectory in it for each user. You can also create parent directories for groups of user directories. 
The data files a home or user directory contains are not available to other users, except network 
administrators or managers who have the necessary access rights. 


For ease of management, create a separate volume for your home or user directories. 
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If you decide to use the sys: volume, create a parent directory in volume sys:, such as home or 
users. Within the parent directory, the name of each subdirectory should be the username. 
Usernames can be up to 47 characters, but DOS displays only 8 characters in a one-level directory 
name. 


Figure 6-5 Home or User Directory Structure 
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Managing Folders and Files on 
NSS and NetWare Traditional 
Volumes 


This section discusses how to configure directories in the Novell® Storage Services™ (NSS) file 
system for Linux and NetWare® and the legacy NetWare Traditional file system. 

+ Section 7.1, “Creating a Folder (Directory),” on page 45 

¢ Section 7.2, “Deleting a File or Folder on an NSS Volume,” on page 48 

+ Section 7.3, “Uploading Files to an NSS Volume,” on page 49 

+ Section 7.4, “Downloading Files from an NSS Volume,” on page 50 

¢ Section 7.5, “Viewing Directory and File Information,” on page 51 

+ Section 7.6, “Managing Directory Quotas,” on page 51 

+ Section 7.7, “Copying or Moving Directories and Files,” on page 56 

+ Section 7.8, “Salvaging or Purging Deleted Files with iManager,” on page 56 

+ Section 7.9, “Salvaging or Purging Deleted Files with Other Tools,” on page 58 

+ Section 7.10, “Purging Deleted Files or Directories (NetWare),” on page 59 

+ Section 7.11, “Moving a User’s Home Directory to a Different Partition (Linux),” on page 60 

+ Section 7.12, “Creating a Fake Root Directory with the Map Root Command,” on page 60 

¢ Section 7.13, “Disabling the Default Use of Map as Map Root in Login Scripts,” on page 61 

+ Section 7.14, “Creating and Configuring a Directory Map Object,” on page 61 

+ Section 7.15, “Mapping Network Drives,” on page 64 


7.1 Creating a Folder (Directory) 


+ Section 7.1.1, “Prerequisites for Creating Folders,” on page 45 
+ Section 7.1.2, “Tools for Creating Folders,” on page 46 
+ Section 7.1.3, “Using Novell iManager to Create a Folder (Directory),” on page 46 


+ Section 7.1.4, “Using Novell Remote Manager for NetWare to Create a Folder (Directory) 
(NetWare),” on page 47 


7.1.1 Prerequisites for Creating Folders 


Before you can create a folder (directory) on an NSS volume or a NetWare traditional volume, you 
must be a trustee of the parent folder where you want to create the new folder, and have been granted 
the Create right for it. When creating a folder in the root directory of a volume, you must be a trustee 
the Volume object and have the Create right for it. For information about assigning trustees and 
trustee rights, see Chapter 9, “Configuring File System Trustees, Trustee Rights, Inherited Rights 
Filters, and Attributes,” on page 83. 
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7.1.2 Tools for Creating Folders 
On a NetWare server, you can create new folders (directories) at the server console. For Linux or 


NetWare servers, you can create folders by using the following management tools for the NSS file 
system and NetWare Traditional file system: 


Table 7-1 Tools for Creating Folders on NSS and NetWare Traditional File Systems 

















Management Tool NSS on Linux ae sai 
Files and Folders plug-in for Novell iManager 2.7 Yes Yes Yes 
Novell Client for Linux Yes Yes Yes 
Novell Client™ for Windows XP/2003 and for Yes Yes Yes 
Windows Vista 

Novell NetStorage Yes Yes No 

Novell Remote Manager for Linux No No No 

Novell Remote Manager for NetWare No Yes Yes 


7.1.3 Using Novell iManager to Create a Folder (Directory) 


As an administrator, you can use the Files and Folders plug-in to iManager to create a folder on NSS 
volumes or NetWare Traditional volumes, and NCP volumes (NCP controlled shares on Reiser or 
Ext3 volumes on an OES 2 Linux server). 


Prerequisites 


+ The destination NSS volume must be in the same tree where you are currently logged in to 
iManager. 


+ You must have trustee rights for the volume and destination location where you want to create 
the new folder. The Create right is required for creating files and folders. 
Procedure 


1 In iManager, click Files and Folders, then click New Folder to open the New Folder page. 


New Folder ? 


Specify the path and name for the new folder 


Path: 
| lal 


Folder Name: 


OK | Cancel — | 
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2 Use one of the following methods to specify the destination path on the NSS volume where 
you want to create the new folder: 


+ Click the Search icon to browse and locate the destination folder, then click the name link 
of the folder to select it. 


+ Click the History icon to select a folder from the list of folders that you recently accessed. 
The pathname of the folder appears in the Path field. 
3 In Folder Name, type the name the folder you want to create in the selected location. 
4 Click OK to create the folder, or click Cancel to abandon it. 
A message confirms when the folder has been successfully created. 
5 Click Repeat Task to create another folder, or click OK to dismiss the confirmation message. 


6 Click Files and Folders, then click Properties to set file system trustees, trustee rights, and 
attributes for the new folder or folders. 


7.1.4 Using Novell Remote Manager for NetWare to Create a 
Folder (Directory) (NetWare) 


1 In your Web browser, log in to Novell Remote Manager on the NetWare server where you want 
to create a directory in an NSS volume. The general form of the URL is 


http://192.168.1.1:8008 

https://192.168.1.1:8009 

Replace 192.168.1.1 with the actual IP address or DNS name of your server. 
2 Click Manage Server > Volumes. 


3 Click the Properties icon next to the volume you want to manage. 
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fTEST/acatt_home 


Back to directory listing for: /TES 


Directory entry information 
Owner ACATT 
Creation date and time Jun 30, 2004 12:51 pm 
Effective rights SRWCEMFA 
Inherited rights filter  SRWCE_F 
File space limit None 


File space in use Not available 


Trustee information: 

Object name Trustee rights 
„CN=acatt.O=novell.T=TODDSBUILDTREE. SRWCEMFA Delete 
„CN=ddogg.O=novell.TETODDSBUILDTREE. _R F Delete 
.CN=animals,O=novell. T=TODDSBUILDTREE. _RWCEMFA Delete 


Add Trustee | User Name: & Browse 


Salvagable files: None 


Delete Directory and Contents 
Rename Directory New name: [acatt_home 
Create Subdirectory New name: 


4 Type the name of the subdirectory, then click Create Subdirectory. 


7.2 Deleting a File or Folder on an NSS Volume 


As an administrator, you can use the Files and Folders plug-in to iManager to delete a file or folder 
on an NSS volume. 


7.2.1 Prerequisites 


+ The NSS volume must be in the same tree where you are currently logged in to iManager. 


+ You must have trustee rights for the file or folder that you want to delete. The Erase right is 
required to delete the file. 


+ A folder must be empty before it can be deleted. 


7.2.2 Procedure 


1 In iManager, click Files and Folders, then click Delete to open the Delete File or Folder page. 
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Delete File or Folder ? 


Specify a file or folder to delete 


Name: 


Q al 


OK  |_ Cancel | 





2 Use one ofthe following methods to specify the file or folder that you want to delete from the 
NSS volume: 


+ Click the Search icon to browse and locate the file or folder, then click the name link of 
the object to select it. 


+ Click the History icon to select a file or folder from the list of files and folders that you 
recently accessed. 


The pathname of the folder appears in the Name field. 
3 Click OK to delete the selected file or folder, or click Cancel to abandon the delete process. 
A message confirms when the file or folder has been successfully deleted. 


4 Click Repeat Task to delete another folder, or click OK to dismiss the confirmation message. 


7.3 Uploading Files to an NSS Volume 


As an administrator, you can use the Files and Folders plug-in to iManager to upload files from your 
local computer to an existing folder on an NSS volume. 


7.3.1 Prerequisites 


¢ The destination NSS volume must be in the same tree where you are currently logged in to 
iManager. 


+ You must have trustee rights for the destination folder in order to be able to find the folder and 
upload the file. The Create right is required for file uploads. 


7.3.2 Procedure 


1 In iManager, click Files and Folders, then click Upload to open the Upload File page. 


Upload File [2] 
Specify the uploaded path and the file to upload 
Path: 
alfa 
File Name: 
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2 Use one of the following methods to specify the path to the folder on the NSS volume where 
you want to put the file: 


+ Click the Search icon to browse and locate the folder, then click the name link of the 
folder to select it. 


¢ Click the History icon to select a folder from the list of folders that you recently accessed. 
The pathname appears in the Path field. 
3 Select the file on your local computer that you want to upload: 
3a Click Browse to open a local file browser dialog box. 
3b Browse and locate the file. 
3c Select the file, then click Open. 
The local pathname for the selected file appears in the File Name field. 
4 Click OK to begin the upload, or click Cancel to abandon the process. 


A message confirms when the file has been successfully uploaded. Wait until the upload 
completes before proceeding to other tasks. 


5 Click Repeat Task to upload another file, or click OK to dismiss the confirmation message. 


7.4 Downloading Files from an NSS Volume 


As an administrator, you can use the Files and Folders plug-in to iManager to download a file from 
an NSS volume to your local computer. 


7.4.1 Prerequisites 


+ The NSS volume must be in the same tree where you are currently logged in to iManager. 


+ You must have trustee rights for the file in order to be able to browse to and download the file. 


7.4.2 Procedure 


1 In iManager, click Files and Folders, then click Download to open the Download File page. 


Download File ? 


Specify a file to download 


File Name: 


Q ‘A 


OK | Cancel | 





2 Use one ofthe following methods to select the file that you want to download from the NSS 
volume to your local drive: 


+ Click the Search icon to browse and locate the file, then click the name link of the file to 
select it. 


¢ Click the History icon to select a file from the list of files that you recently accessed. 
The pathname appears in the File Name field. 
3 Click OK to open the File Download dialog box. 
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IMPORTANT: If the File Download dialog box does not open, make sure the security settings 
in your browser allow downloads from the server by adding the server as a trusted site, then try 
again. 





4 Use one of the following methods to save the file to the local computer: 


+ Click Open to view the file in an appropriate application, then save the file by using the 
application's File > Save options. 


The application that opens the file must already be installed on your computer. 


+ Click Save to open the Save As dialog box, browse to an existing folder or create a new 
local folder where you want to save the file, then click Save. 


The browser’s download manager manages the download and notifies you when the 
download is complete. 


You can continue with other iManager tasks while the file is downloading. 


7.5 Viewing Directory and File Information 


You can see extended information about a directory or file with Novell NetStorage, Novell Remote 
Manager, and the Novell Client. 


You can view directory information such as 


+ Owner and trustees 
+ Creation date and time 
+ Attributes, effective rights, and the IRF 


+ Disk space limitations 
You can view file information such as 


+ Owner and trustees 

+ Attributes, effective rights, and the Inherited Rights and Filters (IRF) 
+ Name space 

+ File size 


+ Creation, access, archive, and modify dates 


For information, see “Understanding File System Access Control Using Trustees” on page 67. 


7.6 Managing Directory Quotas 


A directory quota limits the amount of space on an NSS volume that can be consumed by all of the 
files and folders in that directory. If the value you specify exceeds the volume quota, the volume 
quota overrides the directory quota. If the current size of the directory exceeds the specified limit, 
users cannot save data to the directory until space is cleared by removing files from the directory. 


Before you can set directory quotas, you must enable the volume’s Directory Quotas attribute. As 
the administrator user, you can view and configure directory quotas with the Files and Folders plug- 
in for iManager, NetStorage, and the Novell Client™. For NSS on NetWare, you can also use Novell 
Remote Manager for NetWare. 
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This section describes the following: 
¢ Section 7.6.1, “Enabling or Disabling the Directory Quotas Attribute for an NSS Volume,” on 
page 52 
¢ Section 7.6.2, “Configuring Directory Quotas,” on page 52 
+ Section 7.6.3, “Removing a Directory Quota,” on page 55 


¢ Section 7.6.4, “Removing All Directory Quotas for an NSS Volume,” on page 55 


7.6.1 Enabling or Disabling the Directory Quotas Attribute for 
an NSS Volume 


Before setting directory quotas on an NSS volume, you must enable the Directory Quotas attribute 
for the volume. You can set the attribute at create time or at any time for an existing volume. 


To set the Directory Quotas attribute for an existing volume: 


1 In iManager, click Storage > Volumes. 
2 Select a server to manage to view a list of NSS volumes on the server. 
3 Inthe Volumes list, select a volume that you want manage. 
Wait for the volume details to be displayed before you continue. 
4 Click Properties. 


The Properties page has three tabs: Attributes, Statistics, and Quota Usage. It opens to the 
Attributes tab. 


5 On the Attributes tab, select or deselect the Directory Quotas check box, then click Apply. 


6 (Linux) If you enabled or disabled the Directory Quotas attribute, restart NCP2NSS by 
entering the following at a terminal console prompt: 


/etc/init.d/ncp2n ss restart 


7.6.2 Configuring Directory Quotas 


+ “Adding or Modifying a Directory Quota with iManager” on page 52 
+ “Adding or Modifying a Directory Quota with Novell NetStorage” on page 53 
+ “Adding or Modifying Directory Quotas with the Novell Client” on page 53 


+ “Adding or Modifying a Directory Quota with Novell Remote Manager for NetWare” on 
page 54 


Adding or Modifying a Directory Quota with iManager 


1 In iManager, select Files and Folders > Properties. 


2 Click the Search icon, then browse to locate and select the folder you want to manage on an 
NSS volume. 


3 On the /nformation tab, select Restrict Size to enable space restrictions for the selected 
directory. 


4 In the Limit field, type the directory quota in KB. 
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The value must be an increment of 4 KB; that is, it must be divisible by 4 with no remainder. 


5 Click Apply or OK to apply the changes. 


Adding or Modifying a Directory Quota with Novell NetStorage 


Using Novell NetStorage, you can manage directory quotas for directories in an NSS volume from 
any computer with a supported Web browser. This requires you to first configure a NetStorage 
server in the same context. For information, see the following: 


+ OES 2 SP2: NetStorage for Linux Administration Guide 
+ NW 6.5 SP8: NetStorage Administration Guide 


To create or modify NSS directory quotas with NetStorage: 


In a Web browser, connect to NetStorage. 

Log in to NetStorage with the username and password of the Admin user or equivalent user. 
Navigate to the directory you want to manage. 

Right-click the directory, then select Properties. 

Click the NetWare Info tab. 

Use the NetWare Info tab whether your server is OES Linux or NetWare. 


a Aà WN = 


6 Do one of the following to configure the directory quota: 


+ Space Restriction: Select Restrict Size, then specify the directory quota in KB. The value 
must be a multiple of 4. 


+ No Space Restriction: Deselect Restrict Size to set the directory quota to Unlimited. 


+ Complete Space Restriction: Select Restrict Size, then specify the directory quota as 0 
KB. If the directory already contains files and subdirectories, the directory cannot grow 
beyond the current space consumed. 


7 Click Apply to accept the directory quota configuration. 


Adding or Modifying Directory Quotas with the Novell Client 


The Novell Client for Windows 2000/XP allows the admin user to manage directory quotas for 
directories in an NSS volume from a Windows computer. 


1 Inthe Novell Client, map a drive to the NSS directory you want to manage, or map to its parent 
directory. 


1a Right-click the Novell Client icon (the red N icon in the notification area), then select 
Novell Map Network Drive. 


1b Specify the network path to the directory. For example: 192.168.1.1/users. 
1c Specify the username of the Admin user or equivalent user, then click Map. 
1d When prompted, enter the user’s password. 


2 Ina file browser, locate and right-click the directory you want to manage, then click Properties 
> NetWare Info. 


Use the NetWare Info tab whether your server is OES Linux or NetWare. 
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PUBLIC Properties zl xi 


General | Customize NetWare Info | Netware Rights | 


Information about the selected directory. 
Novell. 


Selected PUBLIC 








Directory: 
Name Space: DOS 
Owner: [Supervisor] 
Space Restriction: Unlimited 
Ch 
Space Available: 341,300KB _Change | 





Creation Date: Tuesday, November 30, 2004 4:23:06 AM 
Last Update: Tuesday, November 30, 2004 11:52:04 AM 


Last Archive: Never Archived 





Attributes: I” Read-only |” Archive 
I~ Don't Compress I Hidden 
[ Immediate Compression [ Rename Inhibit 
J Purge Immediate Tl Delete Inhibit 


Cancel | Apply 





3 Inthe Space Restriction field, click Change to open the Space Restriction dialog box. 


Space Restriction | xl 


[7 Complete Space Restriction 
[” No Space Restriction 


Enter space restriction for directory: 500000 KB 


Note: Amount must be a multiple of 4 


Cancel | 





4 Do one of the following to configure the directory quota: 
+ Space Restriction: Specify the directory quota in KB. The value must be a multiple of 4. 


+ No Space Restriction: Select No Space Restriction to set the directory quota to 
Unlimited. 


+ Complete Space Restriction: Select Complete Space Restriction to set the directory 
quota to 0 KB. If the directory already contains files and subdirectories, the directory 
cannot grow beyond the current space consumed. 


5 Click OK to accept the directory quota. 


Adding or Modifying a Directory Quota with Novell Remote Manager for NetWare 


1 Access Novell Remote Manager for your NetWare server. 


2 Click Volumes to open the Volumes page. 
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3 Locate the volume where the directory resides, then click the volume name link to view a 
directory listing for the volume. 


4 Locate the directory you want to manage, then click the Directory Information icon ‘[4] to the 
left of the directory to open the Directory Entry Information page. 


5 Inthe Directory Entry Information field, click the File Space Limit link. 
Figure 7-1 NetStorage Directory Quotas File Space Limit Link 
Directory entry information 
Owner ADMIN 
Creation date and time Feb 1, 2005 5:11 pm 
Effective rights SRWCEMFA 
Inherited rights filter  SRWCENWFA 
File space limit None 


File space in use 0 KB 


This link is not available if you did not enable the Directory Quotas attribute when you created 
the parent volume. 


6 Do one of the following: 


+ Space Restriction: Specify the maximum size (in kilobytes) for the selected directory, 
then click Set Space Restriction to apply the setting. 


+ No Space Restriction: Click No Quota to remove space restrictions for the selected 
directory. 


+ Complete Space Restriction: Specify the maximum size as 0 KB. If the directory already 
contains files and subdirectories, the directory cannot grow beyond its current space 
consumed. 


7.6.3 Removing a Directory Quota 


1 In iManager, select Files and Folders > Properties. 


2 Click the Search icon, then browse to locate and select the folder you want to manage on an 
NSS volume. 


3 On the /nformation tab, deselect Restrict Size to disable space restrictions for the selected 
folder. 


4 Click Apply or OK to apply the changes. 


7.6.4 Removing All Directory Quotas for an NSS Volume 


To delete the directory quotas for all directories on an NSS volume without dealing individually 
with each directory, you can simply disable the Directory Quotas attribute for the NSS volume. 
1 In iManager, click Storage > Volumes. 
2 Select a server to manage. 
3 Inthe Volumes list, select a volume that you want manage. 


4 Click Properties. 
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The Properties page has three tabs: Attributes, Statistics, and Quota Usage. It opens to the 
Attributes tab. 


5 On the Attributes tab, deselect the Directory Quotas check box, then click Apply. 
6 (Linux) Restart NCP2NSS by entering the following at a terminal prompt: 


/etc/init.d/ncp2nss restart 


7.7 Copying or Moving Directories and Files 


You can copy or move a directory’s subdirectories and files, if you have the necessary rights to do 
so. You cannot move the location of the directory itself, unless you also have the necessary rights for 
the parent directory of the target directory and for the destination directory. 


To copy or move a directory’s subdirectories and files, you must have File Scan rights to the source 
directory, and you must have the Create right to the destination directory. 


To move a directory’s subdirectories and files, you must also have the Erase right to the source 
directory, because moving files includes deleting them from the source directory. For instructions, 
see “Viewing Details about Files and Performing Actions on Them” in the NW 6.5 SP8: Novell 
Remote Manager Administration Guide. 


7.8 Salvaging or Purging Deleted Files with 
iManager 
As an administrator, you can use the Files and Folders plug-in to iManager to salvage or purge 
deleted files from an NSS volume where the Salvage attribute is enabled. When salvaging deleted 
files, the file content, trustees, trustee rights, and inherited rights filter are just as they were before 
the file was deleted. If the rights in the tree above the salvaged file have changed, then the inherited 
rights for the salvaged deleted file is calculated based on the current rights above it in the directory 
tree. 

+ Section 7.8.1, “Prerequisites,” on page 56 

+ Section 7.8.2, “Salvaging a Deleted File,” on page 57 

+ Section 7.8.3, “Purging Deleted Files,” on page 57 


7.8.1 Prerequisites 


+ The NSS volume that you want to manage must be in the same tree where you are currently 
logged in. 


+ You must have trustee rights for the file that you want to manage. 


+ The NSS volume must be configured for salvage in order for deleted files to be available. 
Enable the Salvage attribute by going to the volume’s Attributes page (Storage > Volumes > 
Properties > Attributes), select Salvage, then click OK. 


+ Deleted files are typically purged according to the Purge Delay settings on the server. When the 
delay time elapses, the deleted file is no longer available for salvage. 


+ Deleted files can be salvaged by any trustee for the file with the Create right. If another user has 
salvaged the deleted file, it is no longer available for salvage. 
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+ Deleted files can be purged by any trustee for the file with the Erase right. If another user has 
purged the deleted file, it is no longer available for purge. 


¢ Ifthe Purge Immediate attribute is set for a file or folder, it is immediately and permanently 
removed from the volume upon deletion. 


7.8.2 Salvaging a Deleted File 


You can salvage a deleted file and restore it to the directory from which it was deleted if you are a 
trustee of the file with the Create write. You can choose to overwrite any existing copies of the file in 
that location, or to rename the deleted file before it is salvaged. Review the guidelines in 


Section 7.8.1, “Prerequisites,” on page 56 to understand when deleted files are available for salvage. 


1 In iManager, click Files and Folders, then click Deleted File to open the Deleted File page. 


2 On the Deleted File page, use one of the following methods to locate the folder on an NSS 
volume where the deleted file existed when it was deleted: 


+ Click the Search icon to browse and locate the folder, then click the name link of the 
folder to select it. 


+ Click the History icon to select a folder from the list of folders that you recently accessed. 


The Deleted Files report lists the deleted files in the folder and shows who deleted each file and 
when it was deleted. 


3 Browse the list of deleted files to locate the version of the file you want to salvage. 
4 Select the deleted file that you want to salvage, then click Salvage. 


5 Ifa current file in the folder is named the same as the salvaged file, you are prompted to do one 
of the following: 


+ Type a new name for the salvaged file, then click OK. 
+ Click OK to overwrite the current file with the salvaged file. 
A confirmation message confirms that the file was successfully saved. 


6 Click Repeat Task to salvage or purge other deleted files, or click OK to dismiss the 
confirmation message. 


7.8.3 Purging Deleted Files 


You can purge a deleted file to remove it immediately from the volume if you are a trustee of the file 
with the Erase right. Purged files can no longer be salvaged. Review the guidelines in Section 7.8.1, 
“Prerequisites,” on page 56 to understand when deleted files are available. 


Deleted files can be purged by any trustee for the file with the rights to do so. The Erase right is 
required for purging. 
1 In iManager, click Files and Folders, then click Deleted File to open the Deleted File page. 


2 Onthe Deleted File page, use one of the following methods to locate the folder on an NSS 
volume where the deleted file existed when it was deleted: 


+ Click the Search icon to browse and locate the folder, then click the name link of the 
folder to select it. 


+ Click the History icon to select a folder from the list of folders that you recently accessed. 
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The Deleted Files report lists the deleted files in the folder and shows who deleted each file and 
when it was deleted. 


3 Browse the list of deleted files to locate the version of the file you want to purge. 
4 Select one or multiple deleted files that you want to purge, then click Purge. 
A confirmation message confirms that the file was successfully purged. 


5 Click Repeat Task to salvage or purge other deleted files, or click OK to dismiss the 
confirmation message. 


7.9 Salvaging or Purging Deleted Files with 
Other Tools 


Use any of the following methods to salvage or purge deleted files. To purge, the user must be a 
trustee of the file with the Erase right. To salvage, the user must be a trustee of the file with the 
Create right. 

¢ Section 7.9.1, “Using NetStorage,” on page 58 

+ Section 7.9.2, “Using the Novell Client,” on page 58 

+ Section 7.9.3, “Using Novell Remote Manager for NetWare (NetWare),” on page 59 


7.9.1 Using NetStorage 


Using NetStorage, the Admin user, the Admin-equivalent user, and individual users can purge and 
possibly undelete NSS files that were previously deleted on your Linux or NetWare server. 
1 Access NetStorage. 


2 Inthe left column, select the directory where the deleted files were located when they were 
deleted. 


3 Click View, then click Show Deleted Files. 
4 Select the check box next to one or more files you want to undelete or purge. 
5 Click File, then click Undelete or click Purge. 


7.9.2 Using the Novell Client 


Using the Novell Client™ for Windows 2000/XP/2003, Admin users, Admin-equivalent users, and 
individual users can purge and possibly undelete NSS files that were previously deleted on your 
Linux or NetWare server. 
1 Right-click the Novell Client icon (the red N) in the notification area to display the menu. 
Use the NetWare utility even if the NSS volume resided on a Linux server. 


2 Ifyou want to salvage a deleted file, click NetWare Utilities > Salvage, browse to locate the 
directory where the deleted file resided, then do one of the following: 


¢ To restore one or more deleted files, select the deleted files, then click Salvage File. 
¢ To restore all deleted files in the directory, click Salvage All. 
When you are done, click OK. 
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3 Ifyou want to purge a deleted file, click NetWare Utilities > Purge, browse to locate the 
directory where the deleted file resided, then do one of the following: 


+ To purge one or more deleted files, select the deleted files, then click Purge File. 
¢ To purge all deleted files in the directory, click Purge All. 


¢ To purge the directory’s subdirectories and all deleted files in them, click Purge 
Subdirectories. 


4 When you are done, click OK. 


7.9.3 Using Novell Remote Manager for NetWare (NetWare) 


Using Novell Remote Manager for NetWare, the Admin user or equivalent user can purge and 
possibly undelete NSS files that were previously deleted on your NetWare server. 


1 Ina Web browser, connect to Novell Remote Manager on the NetWare server where the deleted 
file resides. 
For information, see Section 4.2.4, “Accessing Novell Remote Manager,” on page 30. 

2 On the Volumes page, click the volume name link of the volume where the file was deleted. 


3 From the Directory list, click the Information icon to left of the directory name where the file 
was deleted. 


4 On the Directory Information page, find the Salvageable Files field, then click the Select for 
List link. 


5 Do one of the following: 


+ Salvage: Locate the deleted file you want to restore, then click the Salvage button next to 
the filename. 


+ Purge: Locate the deleted file you want to purge, then click the Purge button next to the 
filename. 


+ Purge All: Click the Purge All Files button to purge all the files in the directory. 


7.10 Purging Deleted Files or Directories 
(NetWare) 


If your NetWare server is running out of disk space or you want to immediately purge files that have 
been deleted, you can easily do so on each volume from the Volume Information page in Novell 
Remote Manager for NetWare. 


7.10.1 Purging All Deleted Files 


To immediately purge all files that have been deleted from a volume: 





IMPORTANT: Files that have been purged can no longer be recovered. 





1 In Novell Remote Manager for NetWare, open the Volumes page. 
2 Click the Information icon to left of the name of the volume that you want to manage. 


3 On the Volume Information page, click the Purge Deleted Files link. 
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7.10.2 Purging Specific Directories or Files 


To immediately purge specific files that have been deleted from a directory, or to immediately purge 
all files from a specific directory: 





IMPORTANT: Files that have been purged can no longer be recovered. 





1 In Novell Remote Manager for NetWare, open the Volumes page. 
2 Click the volume name link of the volume where the file was deleted. 


3 Inthe volume’s Directory list, click the Information icon to left of the directory where the file 
was deleted. 


4 On the Directory Information page, find the Salvageable Files field, then click the Select for 
List link. 


5 Do one of the following: 
+ Locate the file that you want to purge, and click the Purge button next to the file name. 
+ Click the Purge All Files button to purge all the files in the directory. 
+ Click the Purge link for each directory that you want to purge. 


7.11 Moving a User’s Home Directory to a 
Different Partition (Linux) 


You can move a user’s home directory to a new partition on the Linux server without losing current 
configurations, rights, and so on. The following procedure assumes that the home directories reside 
on Linux file systems such as Ext3 or Reiser. 
1 Log in to the server as the root user. 
2 Move the user’s home directory to the new location. 
3 Assign the user as the owner of the new location and everything under it by entering: 
chown -R username /newlocation/username 


Replace username with the user’s Linux username. Replace /newlocation/username with 
the new path to the user’s home directory. 


4 Point the user’s home environment to the new location. 
4a In YaST, click User Management > Edit > Details > Home Directory. 
4b Type the path to the new location. 
4c Save the changes. 


7.12 Creating a Fake Root Directory with the Map 
Root Command 


If your application must be installed at the root, load the files in a directory, then use the map root 
command in the login script to designate the directory as a fake root directory. For information about 
using the map command in a login script, see the Vovell Login Scripts Guide. 
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For example, suppose you want to install a word processing application, named mywpapp, on the 
apps: volume, and it requires a root directory installation. You do not want to put the application in 
the apps: volume’s root directory for security reasons. Instead, you install the application in the 
apps :wpapps \mywpapp subdirectory. In the Novell Client login script for users of the application, 
you use the map root command to map the subdirectory to the K: drive as a fake root: 


map root s16:=k:=apps:wpapps \mywpapp 


To change the fake root back to the original root, remap the drive. 





NOTE: You cannot use the DOS Change Directory (cd) command at the fake root to return to the 
original root. 





7.13 Disabling the Default Use of Map as Map 
Root in Login Scripts 


For Windows NT/2000/XP/2003 workstations that use Novell Client login scripts, a map command 
in the login script has the same effect as using an explicit map root command. It automatically 
enables a mapped NetWare subdirectory as a fake root directory. Applications installed in the 
subdirectory serving as the fake root cannot access directories above that subdirectory. 


If necessary, you can disable the map command’s automatic Map Root behavior on Windows by 
adding SET MAPROOTOFF="1" as the first line in the login script. To create a fake root when the 
MapRootOff parameter is enabled, the login script must explicitly use the map root command. 





For more information, see the Novell Login Scripts Guide. 


7.14 Creating and Configuring a Directory Map 
Object 


1 In your Web browser, log in to Novell iManager, then select the NetWare server where you 
want to create the Directory Map object. The general form of the URL is 


https://192.168.1.1/nps/iManager.html 
Replace 192.168.1.1 with the actual IP address or DNS name of your iManager server. 
The NetWare server must contain a NetWare NSS or Traditional volume. 


To provide access from your tree to NetWare file systems in other trees, you can create 
NetWare Server and Volume objects in your tree that point to the NetWare servers and volumes 
in the other trees. The NetWare Server objects must be created before the Volume or Directory 
Map objects. 

2 In Roles and Tasks, click eDirectory Administration > Create Object to open the Create Object 
page. 
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Novell iManager 


User: admin.novell. TODDSBUILDTREE. 


© Roles and Tasks @ Create Object 





+] Archive f Version Management 





Select the object class to create. 





+) Cluster Administration 



































+] DHCP Available object classes: 
+ DNS Alias 
Computer 
+] Dynamic Groups Countr 
=| eDirectory Administration Directory Map 
Copy Object Dynamic Group 
Create Object Group 
Delete Object Locality P Rae ; 
nE AT, Nsure Audit Application Container 
aes Nsure Audit Channel Container 
Move Object Nsure Audit Critical Value Reset Channel xl 
Rename Object 





+) eDirectory Maintenance 








+) File Access (NetStorage) 
+] File Protocols OK | Cancel | 























3 (Conditional) If Directory Map is not one of the Available Object Classes, you must add the 
Directory Map object class to the list. 


When you select the Create Object task, it presents a list of available object classes. By default, 
it lists only the most commonly-used object classes in the list. You can add additional object 
classes to the list, which enables you to create corresponding objects using the Create Object 
option. 





IMPORTANT: Role-Based Services must be configured before you can use the iManager 
Development role. For information, see “Configuring and Customizing iManager” in the 
Novell iManager 2.7.3 Administration Guide. 





3a In iManager, click the Developer icon |%]. 
3b Click iManager Development > Add Object Class To Creation List. 


Novell iManager 






User: admin.novell. TODDSBUILDTREE. 


& Developer Add Object Class To Creation List 





+) Developer Reference 





Register a new object class to the generic creator 











=| iManager Development 
Create XML Install File 
Add Object Class To Creation List 


Delete Object Class From Creation 
List 





Select the object class to add to creation list. 


Available object classes: 








bootableDevice 
CommExec 
cRLDistributionPoint m 
Device 
DFS-Junction 





DNIP:DHCP Server 
DNIP:DNS RRset 
DNIP:DNS Serer 
DNIP:DNS Zone xl 





<<Back _|__ Next>> | Cancel | 
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3c Select Directory Map from the Available Object Classes list, then click Next. 


3d At the summary page, verify that the value of the class-name entry is 
com.novell.emframe. fw.GenericCreator, click Finish, then click OK. 





3e Return to the Create Object task by clicking the Roles and Tasks icon Gl, then clicking 
eDirectory Administration > Create Object. 


3f Verify that the object classes you added are in the list of available object classes. 


In case of errors during this process, the Web server might need to be restarted in order for 
the newly added object type to be available in the Create Object task. 


4 Inthe Available Object Classes list, select Directory Map, then click OK. 


Novell ¿Manager 








ee) oeeie [al 





User: admin.novell. TODDSBUILDT REE. 


@ Roles and Tasks G Create Directory Map 




















+ Archive f Version Management 
Specify the object name to be created, 
+ Cluster Administration 
= DHCP Directory Map name: 
+) DNS 
+ Dynamic Groups p W 
=| eDirectory Administration 
Copy Object Context: 
Create Object [a] 
Delete Object 
Modify Object 
Move Object 
Rename Object OK | Cancel | 





5 Specify the following information for the Directory Map object, then click OK. 


+ Directory Map Name: Type the common name that represents this Directory Map object 
for use in map and map root commands. 


+ Host Server: Select the NetWare 6.5 or later server where the directory resides. 


+ Context: Select the context of the directory you plan to specify as the path this object 
represents. 


6 Click Modify > General > Other to open the Modify Object page to the Directory Map’s 
Attributes information. 


Managing Folders and Files on NSS and NetWare Traditional Volumes 63 








Novell iManager 



































BER gerran E 
User: admin.novell. TODOSBUILOTREE. 
Q Roles and Tasks Modify Object: CB default_wpapp 
E] 
Dynamic Groups Security 55 [>] 
E eDirectory Administration See Also | Other BI 
Copy Object 
Create Object a 
Delete Object Valued Attributes Unvalued Attributes 
Modify Object Audit:File Link 
Move Object Certificate Validity Interval 
Rename Object GUID Cross Certificate Pair 
5 Description 
5 eDirectory Maintenance DirXML-Associations 
Backup j Host Resource Name 
Backup Configuration isi L 
Basic Repair masvAuthorizedRange 
Graft Tree masvDefaultRange 


masvProposedLabel 


Import Convert Export Wizard 

Index Management 

Log File 

Merge Tree 

Rename Tree 

Repair via imonitor 
ica ir 

Replica Ring Repair 

Restore 

Schema Maintenance. 

Server ir 

Service r 


Syne Repair „| = es NYM 














Novell iManager - Microsoft Internet Explorer 
Add Attribute 


Path: 


volume {TODDSBUILDS_TEST novell [a] 


Path: |wpappstmywpapp| 


OK Cancel | 








8 Specify the volume and path for the Directory Map object that the object represents, then click 
OK. 


Novell iManager creates the Directory Map object with the specified volume and path, whether 
or not the specified path actually exists. 


9 (Conditional) If the path you specified for the Directory Map object does not exist on the 
NetWare 6.5 or later server, create the specified path. 


7.15 Mapping Network Drives 


1 Inthe taskbar of your workstation, right-click the Novell Client icon, then select Novell Map 
Network Drive. 
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LE x 


Assign a network folder or volume to a drive letter on your 
N ove | | . workstation. 


Choose the drive letter to map: 
Bo + 


Enter the network path to the resource: Disconnect 


[\\appssvr\appsvolwpapps\myapp X | 
Browse | 
Enter your network username: 


(Leave blank to use your Windows username] 
[Admin 


[7 Check to make folder appear as the top most level 





IV Check to always map this drive letter when you start windows 





MV Map Search Drive M Path Environment Yariable Insertion Point 
C Put search drive at beginning of path 





( Put search drive at end of path 








Close | 





2 Specify a drive letter to map. 
3 Type or browse to the path to the network resource where you want to map a drive. 
4 Specify the login name to use for the map. 


If none is provided, the client uses your Windows logon username. If necessary, the client later 
prompts you for the password that matches the server login username you provide. 


5 (Optional) Select (enable) the Check to Make Folder Appear as the Top-Most Level option. 


6 (Optional) Select (enable) the Check to Always Map This Drive Letter When You Start Windows 
option. 


7 (Optional) Select (enable) the Map Search Drive option. 


8 Under Path Environment Variable Insertion Point, specify whether to put the search drive at 
the beginning or end of the path. 


9 Click Map. 
For more information, see the following: 


+ “Novell Client 2.0 SP2 for Linux Administration Guide” in the Novell Client 2.0 SP2 for Linux 
Administration Guide 


+ Novell Login Scripts Guide 


Mapping Network Drives with Windows Explorer 
You can also use native methods for mapping drives on your Windows client. 


1 In Windows Explorer browser, click Tools > Map Network Drive. 
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Map Network Drive i x| 








Windows can help you connect to a shared network folder 
and assign a drive letter to the connection so that you can 
access the Folder using My Computer. 






Specify the drive letter for the connection and the folder 
that you want to connect to: 


Drive: [z: | 
Folder: [ \\appsbvr\apps:wpapps\m -] Browse... | 


Example: \\server\|share 








IV Reconnect at logon 






Connect using a different user name. 


Sign up For online storage or connect to a 
network server, 





2 Specify a drive letter to map. 
3 Type or browse to specify the folder you want to map. 


4 (Optional) To make the map automatically recur for subsequent logins to the network, select 
Reconnect at Logon. 


5 Click Finish. 
Mapping Network Drives on DOS Clients with the Map Command 


You can also use native methods for mapping drives on your DOS client. Use the map command to 
map drives and search drives to network directories. For a general description of the map command, 
see “MAP” in the NW 6.5 SP8: Utilities Reference. 
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Understanding File System 
Access Control Using Trustees 


Security is one of the most important aspects of file system organization. The Novell® Storage 
Services™ File System and the NetWare® Traditional file system use the Novell trustee model to 
secure access to directories and files. Novell eDirectory™ objects, file-system trustee rights, and file 
system attributes for directories and files work together to allow you to determine who can access a 
directory or file and which actions are possible. 

+ Section 8.1, “eDirectory Objects and Security Equivalence,” on page 67 

+ Section 8.2, “File-System Trustee Rights,” on page 68 

+ Section 8.3, “Access Control for NSS on Linux,” on page 73 

+ Section 8.4, “The Connection Manager for NetWare,” on page 74 

+ Section 8.5, “Novell Client,” on page 75 

+ Section 8.6, “Directory and File Attributes for NSS Volumes or NetWare Traditional Volumes,” 

on page 75 


¢ Section 8.7, “Displaying Key NSS Directory and File Attributes as Linux POSIX 
Permissions,” on page 77 


+ Section 8.8, “Using QuickFinder with NCP Volumes and NSS Volumes,” on page 81 
+ Section 8.9, “What’s Next,” on page 81 


8.1 eDirectory Objects and Security Equivalence 


In OES, administrators, users, and network resources are represented as objects in an eDirectory 
database. Use Novell iManager to create eDirectory objects, such as Organizational, Organizational 
Unit, Group, User, and Admin. For information, see the Novell eDirectory 8.8 Administration 
Guide. 











For example, in the following figure, The TREE container # is configured and created when you 
install eDirectory. Later, you must populate the tree with container and leaf objects to represent the 
various resources in your company. YourCo is the main Organization (O) object # in your TREE 
domain. In the YourCo container, you create Finance as an Organizational Unit (OU) object 78. In 
the Finance container, you create Accounts as an OU object that contains all accounting resources. 
Other OUs within Finance might represent Sales or Marketing organizations. In the Accounts 
container, Bob is a User object & for a system user who is assigned to the Accounts Department. 





Figure 8-1 Example eDirectory Container and Objects 





@ TREE 


2 YourCo 
* Finance 
"8 Accounts 


Ó Bob 
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Security equivalences help to simplify the task of assigning objects as file system trustees for your 
directories and files. Security equivalence is recorded in eDirectory as the value for the Security 
Equal To property of a User object. You can establish security equivalences explicitly, automatically, 
or implicitly. 


¢ Explicit: By assignment. Trustees of a file or directory with the Supervisor or Access Control 
right can assign rights explicitly. An eDirectory Administrator can modify an object’s Security 
Equal To property to explicitly assign it the same rights as those assigned to another object. For 
example, suppose you make a User object named Joe security equivalent to the Admin object. 
After you create the security equivalence, Joe has the same rights to the tree and file system as 
the Admin user. 


+ Automatic: By membership in a group or role. Whenever you assign an object to be a member 
in a Group object or Organizational Role object, the security equivalence is automatically 
added to the object’s Security Equal To property. 


+ Implied: Equivalent to all parent containers and the [Public] trustee. Security equivalence for 
an object is implied by its parent container and by the Public container, which applies to all 
users. 


Security equivalence is effective only for one step; it is not transferred by a subsequent security 
equivalence. For example, if you make a third user security equivalent to Joe in the example above, 
that user receives only Joe’s original security settings. The third user does not receive Admin rights 
or any other Security Equal To properties Joe might have. 


Whenever a user attempts to access a network resource, eDirectory calculates the user’s security 
equivalence and makes that information available to NetWare. NetWare compares the user’s security 
equivalence information to the trustee assignments for the path and target directory or file to 
determine if the user can access the target resource and what action on it is permitted. 


For more information about eDirectory objects and rights, see “eDirectory Rights” in the Novell 
eDirectory 8.8 Administration Guide. For information about file-system trustee rights, see 
Section 8.2, “File-System Trustee Rights,” on page 68. 


8.2 File-System Trustee Rights 


File-system trustee rights determine access and usage for directories and files on NSS volumes and 
Traditional volumes. A trustee is any eDirectory object, such as a User object, Group object, 
Organizational Role objects, or container object, that you grant one or more rights for a directory or 
file. Trustee assignments allow you to assign ownership, set permissions, and monitor user access. 


The file system stores each file system Trustee’s ID and rights assignment as metadata with its 
directory or file in the NSS file system. In the NetWare Traditional file system, the file’s security and 
attributes metadata is stored in the Directory Entry Table (DET) of its parent directory. For NSS, the 
files and directory properties contain this information. 


File-system trustee rights granted at the directory level apply to all the files and subdirectories in that 
directory, unless the rights redefined at the file or subdirectory level override them. 


File-system trustee rights assigned to files and subdirectories redefine the rights that users inherit 
from directory rights. Eight file-system trustee rights can be granted at either the directory or file 
level, as described in the table below: 
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File-System Trustee Right Description 


Supervisor Grants the trustee all rights to the directory or file and any subordinate items. 


The Supervisor right cannot be blocked with an IRF (Inherited Rights Filter) 
and cannot be revoked. Users who have this right can also grant other users 
any rights to the directory or file and can change its Inherited Rights Filter. 


Default=Off 


Create Grants the trustee the ability to create directories and files and salvage 
deleted files. 


Default=Off 





Erase Grants the trustee the ability to delete directories and files. 
Default=Off 


File Scan Grants the trustee the ability to view directory and file names in the file 
system structure, including the directory structure from that file to the root 
directory. 


Default=On 


Modify Grants the trustee the ability to rename directories and files, and change file 
attributes. Does not allow the user to modify the contents of the file. 


Default=Off 


Read Grants the trustee the ability to open and read files, and open, read, and 
execute applications. 


Default=On 

Write Grants the trustee the ability to open and modify (write to) an existing file. 
Default=Off 

Access Control Grants the trustee the ability to add and remove trustees for directories and 


files and modify their trustee assignments and inherited rights filters. 


Default=Off 


8.2.1 Inherited Rights Masks 


In NetWare, trustee rights assignments made at a given directory level flow down to lower levels 
until they are either changed or masked out. This is referred to as inheritance. The mechanism 
provided for preventing inheritance is called the Inherited Rights Mask (IRM). 


IRMs are taken into account when NSS builds what is referred to as the effective Access Control 
List (ACL) for a file or directory. The effective ACL is a list of all users who have rights to the 
directory and includes the rights they have. It is calculated by starting at the root of the volume and 
working down to the file. 
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At each level, the IRM is applied to all rights inherited from the parent directory. Only those rights 
allowed by the mask are inherited by the child object. Rights for the various trustees explicitly 
assigned to the child are then collected. When a trustee inherits rights from above, the new rights 
replace the old ones (except the Supervisor right, which cannot be masked or removed by a new 
assignment to the same trustee). 


By the time NSS reaches the target file or directory, it has a list of all trustees and the rights assigned 
and inherited for the requested file or directory. This list is then compared against the entries in the 
connection table structure. Every time there is a match in the connection table with an entry in the 
effective ACL, the rights are added to those that the owner of the connection has to the requested file 
or directory. 


In reality, the rights are not calculated at every directory level. The actual algorithm NSS uses to 
calculate the rights for a particular file or directory is somewhat complicated because it ties in 
closely with the way the rights cache is implemented. The algorithm almost never needs to start at 
the root and work down. 


In effect, when the effective rights of a user to an object are finally resolved, you have a list of all 
users who have rights to the file or directory (the effective ACL) and a list of all users in the 
connection table. These lists are seldom very large. 


The one exception to this is a connection that has Admin-equivalent rights (not to be confused with 
having the Supervisor right from a trustee assignment). Admin-equivalent users have all rights to 
files, and they cannot be masked out by an IRM or explicit trustee assignment. The only way to keep 
an Admin-equivalent user from accessing files is to make a special trustee assignment that bars 
access to all but system connections. This assignment cannot be set through normal tools. 


All rights other than Supervisor can be stripped away with an IRM at any level for nearly any user, 
except a user that has Supervisor right to the Server object itself (such as Admin and equivalents, 
which usually have rights resulting from an eDirectory rights inheritance). In this situation, the 
Admin user can see all files and folders regardless of IRMs because the access is not granted in the 
file system. Instead, a bit is set in the connection table to indicate that the user is an admin and as 
such has full access to the server and all volumes thereon. 


8.2.2 Visibility Lists 


The Visibility list is only used for making parent directories visible for navigation purposes. If a user 
has rights to a file, the NCP™ (via NCP Server for NetWare or NCP Server for Linux) makes all 
directories above the file visible to the user. This saves the administrator the task of assigning 
explicit rights to each directory above where the actual rights are assigned. 


Visibility entries are stored in a manner similar to explicitly-assigned trustees. The first four entries 
are in the actual beast object; the rest are stored in overflow beast objects linked from the directory 
beast object. 


Visibility lists only appear on directories. There is one entry for every trustee assigned anywhere in 
the subtree below the directory. Therefore, the further toward the root you go, the more GUIDs you 
see against that directory. At the root, the list has GUIDs for every trustee on the volume. 


Each visibility entry has an eDirectory GUID and a count of the number of references to that GUID 
in the entries for the directory (not the subtree) where the Visibility list is assigned. This includes 
trustees that are explicitly assigned, as well as trustees in Visibility lists. 
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A Visibility list entry can be created in one of two ways: 


+ An immediate subordinate directory or file has a trustee that the parent does not. 


+ A visibility entry for a subordinate subdirectory is present. 


Visibility counts do not consider trustees from directories or contents of directories that are not 
immediately subordinate to the considered directory. 


The Visibility list is not affected by adding, deleting, or modifying IRMs. These operate in a 
transverse flow to the Visibility list. In other words, IRMs flow down the directory structure, while 
the Visibility list works up the structure. 


For each request, GUID entries in the connection table are compared for the connection requesting 
against all GUIDs on the directory in question. If a match is found, the directory is made visible to 
the user in the Visibility list. 


8.2.3 Supervisor Trustee Rights 


A trustee of a Server object in eDirectory is automatically granted the Supervisor right [S] to the root 
directory of every NSS or NetWare Traditional volume attached to that server. You cannot override 
Supervisor rights with trustee rights applied at the subdirectory or file level, nor with Inherited 
Rights Filters. The Admin User object is automatically a trustee of the Server object. 


The Supervisor user of the NSS or NetWare Traditional volume is automatically a trustee for all 
directories and files on the system and has all file-system trustee rights for them. The Supervisor 
right allows its trustee to assign other eDirectory objects as trustees and to specify any of the file- 
system trustee rights to them. 


A trustee must have the Access Control right [A] to make trustee assignments in a directory or file. 
Also, a trustee with the Write right to the File Server object is granted the Supervisor right to the file 


system. 


8.2.4 Trustee Assignments for a Volume 


If you grant a user privileges at the root directory of a volume, the user gains privileges to the entire 
volume unless those rights are specifically revoked at a lower level. You should be especially 
cautious about granting the Access Control right in a root directory. Users with the Access Control 
right can grant themselves all other rights in any subdirectory on the volume. You can improve 
network security by granting each user privileges only to the specific directories he or she uses. 


8.2.5 Default Trustee Rights 


In a trustee assignment for a directory, the default rights are File Scan and Read. Any trustee 
assignment, whether for a directory or a file, also includes the right to see the path leading from the 
root to that directory or file. 


A new assignment of trustee rights at the file level can revoke rights assigned at the directory level, 
or it can allow additional rights. 
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8.2.6 Inherited Trustee Rights 


Subdirectories and files can inherit rights from their parent directory. The directory’s rights flow 
down through its structure to subdirectories and files, except for specific subdirectories or files with 
their own trustee assignments that supersede inherited rights. The trustee can exercise rights on 
subordinate directories and files without having explicit trustee assignments on each item. 


When granting a trustee assignment to a subdirectory or file, the trustee assignment takes 
precedence over the inherited rights of its parent directory. 


8.2.7 Public Trustee Rights 


[Public] is a specialized trustee; it is not an eDirectory object. [Public] represents any network user, 
logged in or not, for rights assignment purposes. [Public] has Browse rights to the top of the tree, 
giving all users the right to view any object in the tree. 


You can always specify [Public] as the trustee of a file, directory, or object. An unspecified 
authorized user who tries to access a file, directory, or object without any other rights is allowed the 
rights granted to the [Public] trustee. 


8.2.8 Example of Rights Needed for Typical Access Tasks 


The following table lists some common tasks and the rights required to do them. 


Task Trustee Assignment Needed 

See a filename (visibility) File Scan 

Read a closed file Read 

Open or save an OpenOffice.org file Read, Write, File Scan, Create, Modify, Erase 
Open or save an Microsoft Office file Read, Write, File Scan, Create, Modify, Erase 
Search a directory File Scan 

Write to a closed file Write, Create, Erase, Modify 

Create and write to a file Create 

Copy files into a directory Create 

Remove an empty subdirectory Erase 

Delete a file Erase 

Change directory or file attributes Modify 

Rename a file Modify 

Change the Inherited Rights Filter Access Control 

Change trustee assignments Access Control 

Modify a directory’s disk space assignment for Access Control 

users 
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8.3 Access Control for NSS on Linux 


For an OES Linux server, you can control access to services locally or with eDirectory. If the server 
contains Novell Storage Systems (NSS) volumes, you can control access in only one of the two 
methods, not both, and not a combination. The access methods are referred to as Independent mode 
and NetWare mode. 


Access Control File System Local Users eDirectory Users Access Mode 
Local only Linux POSIX file Yes No xNFS 
systems Independent 
NCP/eDirectory, except for Linux POSIX file No Yes xNFS 
Root user systems Independent 
Local and NCP/eDirectory Linux POSIX file Yes Yes, Linux- xNFS 
systems enabled local Independent 
users 
Local only NSS Root user only No xNFS 
Independent 
NCP/eDirectory, except for NSS Root user only Yes xNFS NetWare 
Root user 
Local and NCP/eDirectory NSS Root user only Yes, Linux- xNFS NetWare 
enabled local 
users 


For more information about NSS, NCP Server, and Linux User Management, see the following: 


+ Section 3.2, “Compatibility Issues for File System Rights on Linux,” on page 19 
+ “Access Control for NSS on Linux” in the NW 6.5 SP8: NSS File System Administration Guide 


In NetWare mode, NCP calculates access control permissions for three entities: 


+ The eDirectory User object mapped to the directory or file User ID (UNIX User ID (UID)) 
+ The eDirectory Group object mapped to the directory or file Group ID (UNIX Group ID (GID)) 
+ The eDirectory Group object mapped to the directory or file Others ID (UNIX GID 65535) 


These user entities are referred to as mapped users. All other users are called unmapped users. 


For NSS volumes, the POSIX directory and file permissions are not used to determine access 
permission. NSS uses the permission fields to store Read Only, Read/Write, Execute, and Hidden 
attributes for directories and files. NSS does not allow the Linux system to set typical access control 
permissions in the POSIX fields. It interprets Linux chmod commands to apply the values as 
NetWare directory and file attributes, according to the way NSS maps them to the User, Group, and 
Other permission fields. For information, see Section 8.7, “Displaying Key NSS Directory and File 
Attributes as Linux POSIX Permissions,” on page 77. 


When the user connects to the system with a data request, NCP calculates the effective rights table 
for the user. As NCP accesses the data on an NSS volume, it compares the ID values to the user's 
effective rights to determine what access is allowed. It then interprets the directory or file attributes 
from the NSS metadata. 


Understanding File System Access Control Using Trustees 


73 


The NCP server ensures that trustee rights and directory and file attributes are enforced when users 
access their data. To ensure that the user’s data is not less secure when accessed from the Linux 
environment or with other protocols, the NSS volume data tends to be less accessible when accessed 
locally on the Linux system or through other protocols. NCP users only have rights where they have 
been explicitly granted to them through trustee assignments on the volume or to the NCP server 
object in eDirectory so NCP does not create security back doors into other parts of the system. 


NCP provides basic accessibility when the Linux-enabled authenticated user accesses the system 
locally or through another protocol. In order to accomplish this with file systems other than NSS, 
NCP sets the UID of files and directories to be that of the user who creates them. Using LUM (Linux 
User Management), these IDs map to valid Linux UIDs. Additionally, a local user on the Linux 
system could use NCPFS (ncpmount) and establish an authenticated NCP session with the NCP 
server, allowing the user’s local access rights to mirror the rights available remotely through NCP. 


With NSS volumes, the trustee information is stored in NSS with the directory or file. NSS allows 
access to their file system to Linux user IDs based on what their trustee rights are in the NSS file 
system. If a user has an NCP-assigned trustee right to a subdirectory on an NSS volume, that same 
user could log in at the Linux console and have the same access locally that he or she has through 
NCP. Protocols such as NFS and Samba that access files with the remote client’s UID should also 
work well with NSS. 


8.4 The Connection Manager for NetWare 


For NetWare, the Connection Manager module (connmgr .nlm) builds a connection table when a 
user connects to the file system. When a file is requested from either the NSS file system or the 
NetWare Traditional file system, the Connection Manager gathers information for the connection 
table from the eDirectory Services module (ds.n1m) in the form of a connection table comprised of 
the eDirectory EIDs for the object, for group memberships, and for security equivalences. 


When the connection is established, the information in the connection table is relatively static unless 
the connected user is added to a new group or is given an explicit trustee assignment or security 
equivalence. In those situations, the connection manager updates the connection table and sends out 
an event that the table has changed. NSS uses this event to update its own connection table. 


8.4.1 Connections to the NetWare Traditional File System 


For the NetWare Traditional file system, the table of EIDs is all that is needed to proceed with 
authentication. After eDirectory provides the list of EIDs, the Connection Manager compares the list 
to the Directory Entry Table (DET) for the Traditional volume. It determines valid trustees by 
looking at the assigned trustees in the directory structure above (for trustee inheritance) and at the 
target file system object (for explicit trustee assignments). Inherited Rights Masks (IRMs) are also 
taken into consideration. 


8.4.2 Connections to the NSS File System 


For the NSS file system, the NSS connection table establishes an entry for a user when the regular 
connection table entry is created, rather than at the file system access time. Logically, the NSS 
connection table is part of the connection table with NSS-specific information, including the 
eDirectory object’s GUID. 
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NSS uses GUIDs as the key for trustees. It keeps its own connection table with these GUIDs and 
compares it with the beast object entry to look for valid trustees. It finds valid trustees by looking at 
assigned trustees in the directory structure above (for trustee inheritance) and at the target file 
system object (for explicit trustee assignments), also taking IRMs into consideration. 


If this fails to provide a method of access, NSS then checks the Visibility list to see if the requested 
object is a parent directory that requires visibility due to a rights assignment for a child directory. For 
information about the Visibility list, see Section 8.2.2, “Visibility Lists,” on page 70. 


When GUIDs are used instead of EIDs, it does not matter which server you are on, provided it is in 
the same tree, which is why Novell Cluster Services uses NSS pools and volumes. 


NSS does not directly access the connection table. However, it does make calls to read information 
from it to form its own connection table with GUIDs and file-system trustee rights. For information 
about trustee rights, see Section 8.2, “File-System Trustee Rights,” on page 68. 


8.5 Novell Client 


The Novell Client™ establishes an authenticated connection to the server through eDirectory. It does 
not perform periodic authentication checks, nor does it track rights. NCP Server and NSS work 
together to ensure that the Security Equivalence Vector is up-to-date, and that the entries in it are 
used to give correct access to the file system. The client does not control the rights process. To do so 
would introduce a security flaw into the client/server relationship in NetWare. 


8.6 Directory and File Attributes for NSS 
Volumes or NetWare Traditional Volumes 


Directory and file attributes assign properties to individual directories or files. Some attributes are 
meaningful only when applied at the file level, but some apply to both the directory and the file 
levels. 


File attributes apply universally to all users. For example, a file that has a read-only attribute is read- 
only for all users. The file attribute settings are like an on/off switch. Attributes can be set by any 
trustee with the Modify right to the directory or file, and attributes stay set until they are changed. 
Attributes do not change when you log out or when you down a file server. 





IMPORTANT: Be careful when assigning a directory and file attribute. The attribute applies to all 
users. 





For example, if a trustee with the Modify right enables the Delete Inhibit attribute for a file, no one, 
including the owner of the file or the network administrator, can delete the file. However, any trustee 
with the Modify right can disable the Delete Inhibit attribute to allow the file’s deletion. 


Table 8-1 describes directory and file attributes and whether they are apply to directories, files, or 
both. 
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Table 8-1 


Attribute 


Code 


A 


Ci 


Dc 


Di 


Dm 


Ds 


EC 


Ri 


Ro 


Rw 


Sh 


Directory and File Attributes for NSS Volumes and NetWare Traditional Volumes 


Description 


Archive Needed identifies files and folders that have been modified 
since the last backup. This attribute is assigned automatically. 


Copy Inhibit prevents users from copying a file. This attribute is works 
only for clients using Macintosh operating systems to access NSS 
volumes on NetWare. 


This attribute overrides the trustee Read right and File Scan right. A 
trustee with the Modify right must disable this attribute to allow the file to 
be copied. 


Do Not Compress keeps data from being compressed. This attribute 
overrides settings for automatic compression of files not accessed 
within a specified number of days. 


Delete Inhibit prevents users from deleting a directory or file. 


This attribute overrides the trustee Erase right. When it is enabled, no 
one, including the owner and network administrator, can delete the 
directory or file. A trustee with the Modify right must disable this attribute 
to allow the directory or file to be deleted. 


Do Not Migrate prevents directories and files from being migrated from 
the server's server disk to another storage medium. 


Do Not Suballocate prevents data from being suballocated. 


The Hidden attribute hides directories and files so they do not appear in 
a file manager or directory listing. 


Index allows large files to be accessed quickly by indexing files with 
more than 64 File Allocation Table (FAT) entries. This attribute is set 
automatically. 


Immediate Compress sets data to be compressed as soon as a file is 
closed. If applied to a directory, every file in the directory is compressed 
as each file is closed. 


Normal indicates the Read/Write attribute is assigned and the 
Shareable attribute is not. This is the default attribute assignment for all 
new files. 


Purge flags a directory or file to be erased from the system as soon as it 
is deleted. Purged directories and files cannot be recovered. 


Rename Inhibit prevents the directory or file name from being modified. 


Read Only prevents a file from being modified. 


Read/Write allows you to write to a file. All files are created with this 
attribute. 


Shareable allows more than one user to access the file at the same 
time. This attribute is usually used with Read Only. 
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Applies to 


Directories and files 


Files only 


Directories and files 


Directories and files 


Directories and files 


Files only 


Directories and files 


Files only 


Directories and files 


Directories and files 


Directories and files 


Directories and files 


Files only 


Files only 


Files only 


Attribute 


Code Description Applies to 

Sy The System attribute hides the directory or file so it does not appear ina Directories and files 
file manager or directory listing. System is normally used with operating 
system files, such as DOS system files. 

T Transactional allows a file to be tracked and protected by the Files only 
Transaction Tracking System™ (TTS™). This option works only on 
NetWare. 

X The Execute attribute indicates program files such as .exe or .com. Files only 


8.7 Displaying Key NSS Directory and File 
Attributes as Linux POSIX Permissions 


NSS displays its Read Only (Ro), Read/Write (Rw), Execute (x), and Hidden (H) attributes for 
directories and files in the Linux POSIX permission fields when the volume is mounted on Linux. 
However, NSS does not support the POSIX set-user-ID mode bit and set-group-ID mode bit. For 
information about Ro, Rw, X, and H attributes, see Section 8.6, “Directory and File Attributes for NSS 
Volumes or NetWare Traditional Volumes,” on page 75. 


For NSS volumes on Linux, the POSIX permissions are not used conventionally to provide access 
control. Instead, they are merely a means of displaying NSS attributes in a familiar format to Linux 
users. 


For NSS volumes on Linux, only the Root user can create files in a directory that is marked as Read 
Only. If the Read Only attribute is enabled for a directory, LUM-enabled users cannot create files in 
the directory even if they have the trustee Supervisor right assigned to them. For example, the 
POSIX fields for a Read Only directory might be 


dr-x r-x r-x (for a directory with Read Only enabled and Hidden disabled) 
d--x --x --x (for a directory with Read Only and Hidden enabled) 


To enable LUM-enabled users to create files, you must disable Read Only for the directory, which is 
indicated in the POSIX rights field by enabling Write. For example, the POSIX fields when the Read 
Only attribute is disabled might be 


drwx rwx rwx (fora directory with Read Only disabled and Hidden disabled) 
d-wx -wx -wx (for a directory with Read Only disabled and Hidden enabled) 


The following table describes how the NSS directory and file attributes are displayed in the Linux 
POSIX fields and how they handle conventional management commands such as chmod. 
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OES NetWare OES Linux 
Directory and File Permissions (User, 


Attributes Group, Other) 
Read Only is Saree rae Gat 
enabled. 

Execute is 

disabled. 


Hidden is disabled. 


Read Onlyis =) --- --- --- 
enabled. 


Execute is 
disabled. 


Hidden is enabled. 


Description 


NSS enables the Read permission bit and disables the Write 
permission bit for the User, Group, and Other fields to indicate 
that the NetWare Read Only attribute is enabled and the 
Hidden attribute is disabled. The directory or file is visible in 
your file manager. 


The NetWare Read Only attribute is always set to On for files 
and directories. When the Hidden attribute is set to Off, the 
Read permission bit is set to On for the User, Group, or Other 
permission fields on Linux. 


Example: chmod 400 has the same result as chmod 444 
aS Ba EG 


The binary value for octal 4 is 100, which corresponds to 
Read=On, Write=Off, and Execute=Off. 


NSS disables the Read and Write permission bits for the User, 
Group, and Other fields to indicate that the NetWare Read 
Only attribute is enabled and the Hidden attribute is enabled. 
The directory or file is not visible in your file manager, unless 
the file manager is set to view hidden files. 


The NetWare Read Only attribute is always set to On for files 
and directories. When the Hidden attribute is set to On, the 
Read permission bit is set to Off for the User, Group, or Other 
permission fields on Linux. 


Example: chmod 044 or chmod 040 has the same result as 
chmod 000 


The binary value for octal 0 is 000, which corresponds to 
Read=Off, Write=Off, and Execute=Off. 
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OES NetWare 
Directory and File 
Attributes 


Read Only is 
disabled. 


Execute is 
disabled. 


Hidden is disabled. 


OES Linux 
Permissions (User, 
Group, Other) 


rw- rw- rw- 


Description 


NSS enables the Write permission bit to indicate that Read 
Only is disabled. All users can read and modify the file or 
directory. 


If you set the Write permission bit for the User permission 
field, NSS sets the Write bit in all fields to the value in the User 
field. 


By default, NSS disables the Read Only attribute for files, so 
both the Read and Write permission bits are set to On in the 
Linux permissions. 


Example 1: chmod 620 or chmod 644 has the same result 
as chmod 666 


rw- rw- rw- 


The binary value for octal 6 is 110, which corresponds to 
Read=On, Write=On, and Execute=Off for the User field. The 
binary value for octal 2 is 010, which corresponds to 
Read=Off, Write=On, and Execute=Off for the Group field. 
NSS always sets the Read field to On. Because Write is set to 
On for the User field, it is also set to On for all fields. The 
NetWare Read Only attribute is disabled. 


Example 2: chmod 420 or chmod 466 has the same result 
as chmod 444 


Fon Gor Ez 


NSS always sets the Read field to On. Because Write is set to 
Off for the User field, it is also set to Off for all. The NetWare 
Read Only attribute is enabled. 
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OES NetWare OES Linux 
Directory and File Permissions (User, 


Attributes Group, Other) 
Read Only is I-X Y-X r-x 
enabled. [XXX] 


Execute is enabled. 


Hidden is disabled. 


Read Only is rwx rwx rwx 
disabled. 


Execute is enabled. 


Hidden is disabled. 


Description 


NSS enables the Execute permission bit to indicate that 
Execute is enabled. When the Execute permission is enabled, 
all users can list the contents of the directory and change to 
the directory. 


For files, if you set the Execute permission bit to On for any of 
the User, Group, or Other permission fields, NSS sets the 
Execute bit to On for all fields. 


For files, if you set the Execute permission bit to Off for all of 
the User, Group, or Other permission fields, NSS sets the 
Execute bit to Off for all fields. 


For directories, both the Read and Execute permission bits 
are always set to On. 


Example 1: chmod 001, chmod 441, orchmod 401 has the 
same result as chmod 555 


BSE Ga „Er 


The binary value for octal 5 is 101, which corresponds to 
Read=On, Write=Off, and Execute=On. The binary value for 
octal 1 is 001, which corresponds to Read=Off, Write=Off, and 
Execute=On for the Other field. NSS always sets the Read 
field to On. Because the Execute bit is set to On for one of the 
fields, it is set to On for all of the fields. 


Example 2: chmod 622, chmod 700,orchmod 766 has the 
same result as chmod 777 


rwx rwx rwx 


The binary value for octal 7 is 111, which corresponds to 
Read=On, Write=On, and Execute=On. NSS always sets the 
Read field to On. Because the Execute bit is set to On for one 
of the fields, it is set to On for all of the fields. Because Write is 
On for the User field, it is set to On for all fields. 


Example 3: for directories, chmod 000, chmod 400, and 
chmod 022 have the same result as chmod 555 


TeX L-X r" 


The binary value for octal 2 is 010, which corresponds to 
Read=Off, Write=On, and Execute=Off. NSS always sets the 
Read field to On. NSS always sets the Execute field to On for 
directories. The chmod command has no effect on the state of 
Read and Execute permission bits for directories. Because 
the Write bit is set to Off in the User field, it is set to Off for all 
fields. 


NSS enables the Read, Write, and Execute permission bits 
when Read Only is disabled and Execute is enabled. All users 
can read and modify the directory or file, and they can list the 
contents of the directory and change to the directory. 
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8.8 Using QuickFinder with NCP Volumes and 
NSS Volumes 


QuickFinder indexing honors Novell file system trustees and rights in what it returns to the 
requesting user for NCP volumes and NSS volumes. The user sees only those files that the user has 
rights to see. 


8.9 What’s Next 


Continue with “Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and 
Attributes” on page 83. 
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Configuring File System Trustees, 
Trustee Rights, Inherited Rights 
Filters, and Attributes 


This section discusses how to configure Trustee Rights and Inherited Rights and Filters for 
directories and files on the Novell® Storage Services™ File System and NetWare® Traditional File 
System. 

+ Section 9.1, “Generating a Server Security Report (NetWare),” on page 83 

+ Section 9.2, “Viewing a File System Trustee Report for a Volume (NetWare),” on page 84 

+ Section 9.3, “Viewing a File System Trustee Report for a Directory or File,” on page 85 


+ Section 9.4, “Viewing a File System Trustee Report for All Directories in a Volume,” on 
page 85 


+ Section 9.5, “Viewing Properties of a File or Folder,” on page 85 


+ Section 9.6, “Managing Directory Quotas, File Ownership, and File or Directory Attributes for 
NSS Volumes,” on page 86 


+ Section 9.7, “Managing File System Trustees in iManager,” on page 89 


+ Section 9.8, “Managing File System Trustees, Trustee Rights, and Inherited Rights Filters,” on 
page 93 


+ Section 9.9, “Managing File System Attributes for NSS and NetWare Traditional Volumes,” on 
page 97 





+ Section 9.10, “Trustee Rights Utility for Linux,” on page 101 

¢ Section 9.11, “Trustee Rights Utility for NetWare,” on page 104 
+ Section 9.12, “Attributes Utility for Linux,” on page 106 

+ Section 9.13, “FLAG (NetWare),” on page 108 


For an explanation of trustee rights, see “Understanding File System Access Control Using 
Trustees” on page 67. 


9.1 Generating a Server Security Report 
(NetWare) 


For NetWare, you can generate the server Security report in Novell Remote Manager for NetWare to 
help track potential security risks. This report shows only the information that the logged-in user is 
allowed to view. To receive a report with the most helpful information, log in as the Admin user or 
as a user with eDirectory rights equivalent to Admin. 


To generate the Security report for your NetWare server: 


1 Open a Web browser to the Novell Remote Manager, then log in as administrator or equivalent. 
2 Inthe left navigator, click Reports/Log Files to open the Reports/Log Files page. 
3 Click View Security Report. 
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From this report, you can track the following file system security information: 
¢ Trustee assignments for each volume 


Granting a user privileges at the root directory of a volume gives that user privileges to the 
entire volume unless those rights are specifically revoked at a lower level. You should be 
especially cautious about granting the Access Control right in a root directory. Users with the 
Access Control right can grant themselves all other rights in any subdirectory on the volume. 
You can improve network security by granting each user privileges only to the specific 
directories he or she uses. 


¢ Trustee assignments for each common folder on the sys: volume 


User, organization, role, or other eDirectory objects should have only limited access, such as 
Read and File Scan rights, to common directories on volume sys: such as sys: public and 
sys: \login. 

¢ A list of users that have security equivalence to user Admin 


As the number of users with rights equivalent to user Admin increases, your security risks 
multiply. Any time a user with rights equivalent to user Admin leaves a server unattended, 
anyone can gain access to the server. 


For information, see “Security Report” in the NW 6.5 SP8: Novell Remote Manager Administration 
Guide. 


9.2 Viewing a File System Trustee Report for a 
Volume (NetWare) 


For NetWare, administrators can view a Volume Trustee Report to see which users are trustees of 
which files and directories on a volume. 


1 In Novell Remote Manager for NetWare, click Manage Server > Volumes to open the Volume 
Management page. 
2 Click the Information icon @ next to volume you are monitoring. 


3 Scroll down the page, then click the Volume Trustee Report link. 


TEST 


Volume Trustee Report 

fTEST/acatt home 
Rights: SRWCEMFA, User £ Group: .CN=acatt.O=novell. TETHEACME_TREE. 
Rights: _R. F_, User f Group: .CN=ddogg.O=novell. T=THEACME_TREE. 


— 


Rights: _RWCEMFA, User £ Group: .CN=animals.O=novell, T=THEACME_TREE. 
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9.3 Viewing a File System Trustee Report for a 
Directory or File 


1 In iManager, use either of the following methods to locate the file or directory and display its 
properties. 


¢ In Roles and Tasks, select Files and Folders > Properties, then browse to locate and select 
the file or directory. 


+ In the iManager toolbar, select the View Objects icon, browse the Tree view to locate and 
select the file or directory, then select Actions > Properties. 


2 On the Properties page, select the Rights tab to view a list of trustees and their rights. 


9.4 Viewing a File System Trustee Report for All 
Directories in a Volume 

There are currently no supported tools that can generate a trustee report for all directories in a 
volume. Check the Novell Support (http://www.novell.com/support/) Web site and the Novell Cool 
Solutions (http://www.novell.com/coolsolutions/) Web site for possible solutions that meet your 


needs. For example, one possible solution is Display Trustee Assignments (http://www.novell.com/ 
coolsolutions/tools/14092.html). 


9.5 Viewing Properties of a File or Folder 


1 In iManager, click Files and Folders, then click Properties to open the Properties page. 
2 Use one of the following methods to specify the volume, folder, or file that you want manage: 


+ Click the Search icon to browse and locate volume, folder or file from the Storage objects, 
then click the name link of the object to select it. 


+ Click the History icon to select a volume, folder, or file from the list of Storage objects 
that you recently accessed. 


The pathname of the object appears in the Name field. 
3 Click OK to view the properties for the selected volume, folder, or file. 
The properties are displayed in three Files and Folders tabs: 


Properties Tabs Description For Information 
Information + View details about the selected volume, folder, or See Section 9.6, 
file. "Managing Directory 


Quotas, File 
Ownership, and File or 
Directory Attributes for 


NSS Volumes,” on 
+ Modify the file owner. page 86. 


+ Configure directory quotas for folders on NSS 
volumes where the Directory Quotas attribute is 
enabled. 


+ Configure file or directory attributes. 
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Properties Tabs 


Rights + 


Description 


View details about trustees, trustee rights, and 
inherited rights filter for the selected volume, folder, 
or file. 


Add or remove trustees. 


Grant or revoke trustee rights for one or multiple 
trustees. 


Configure the inherited rights filter. 


For Information 


See Section 9.7.2, 
"Configuring Rights 
(File System Trustees, 
Trustee Rights, and 
Inherited Rights Filter),” 
on page 90. 





Inherited Rights + 


View details about explicitly assigned trustee rights 
and inherited rights at all levels along the path from 
the selected file or folder to the root of the 
volume. 


View the effective rights for a given trustee for the 
selected volume, folder, or file. 


See Section 9.7.3, 
"Viewing Effective 
Rights for a Trustee,” 
on page 93. 


9.6 Managing Directory Quotas, File Ownership, 
and File or Directory Attributes for NSS Volumes 


1 Select a volume, folder, or file to manage. 


For instructions, see Section 9.5, “Viewing Properties of a File or Folder,” on page 85. 


folder, or file: 


Click the /nformation tab to view or modify the following properties for the selected volume, 





IMPORTANT: Changes do not take effect until you click OK or Apply. If you click a different 
tab before you save, changes you make on this page are lost. 





Property 


Location 


Description 


The pathname of the selected volume, folder, or file. For example: 


VOLl:dirlNdirBNfilename.ext 





Restrict Size 


(Enable or Disable a 
Directory Quota on a 
Folder) 


Enable (select) or disable (deselect) a directory quota on the specified 
folder on an NSS volume where the Directory Quotas attribute is enabled. 


The default is Disabled. 


If this option is enabled, you must also specify a value for the quota in the 


Limit field. 


A directory quota limits the amount of space on a volume that can be 
consumed by all of the files and folders in that directory. The directory 
quota applies to files and folders created by any user of the directory. 


Select Restrict Size to enable a directory quota for the selected folder, 


specify the quota value in Limit, then click Apply. 


Deselect Restrict Size to disable a directory quota for the selected folder, 
then click Apply. 
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Property 
Limit 


(Set Limit for a 
Directory Quota on a 
Folder) 


Description 
The maximum size allowed for the specified directory and its contents. 
Default: Disabled (not available unless Restrict Size is enabled). 


If you enable Restrict Size for the selected folder, you must specify a limit 
for the directory quota. Type a value in KB for the quota. The value must 
be an increment of 4 KB; that is, it must be divisible by 4 with no 
remainder. Click Apply to save the changes. 


If the value you specify exceeds the volume quota, the volume quota 
overrides the directory quota. 


If the current size of the selected folder exceeds the specified limit, users 
cannot save data to the folder until space is cleared by removing files from 
it. 


If a user quota is set for a user on the volume, the user space restriction 
overrides the directory quota. That is, the user cannot save data to the 
folder if doing so causes the user to exceed his or her user quota. 





Created 


The time stamp (MM/DD/YYYY hh:mm) for when the file or folder was 
created. 





Modified 


The time stamp (MM/DD/YYYY hh:mm) for when the file or folder was last 
modified. 





Accessed 


The time stamp (MM/DD/YYYY hh:mm) for when the file or folder was last 
accessed. 





Archived 


The time stamp (MM/DD/YYYY hh:mm) for when the file or folder was last 
archived. 





Creator 


(View or Modify 
Ownership) 


The typeless distinguished Novell eDirectory™ username (such as 
username.context) of the user who created the file or folder. If the 
username becomes invalid, such as if an employee leaves the company, 
the GUID of the username is reported. For NSS, any number of files or 
folders can be represented by GUIDs instead of valid usernames. 


User quotas for NSS volumes consider file ownership to enforce user 
space restrictions. You might need to change the ownership of a file or 
folder in order to make the space it consumes be charged against a 
different user. 


For NSS volumes on NetWare and Linux, NCP volumes on Linux, and 
NetWare traditional volumes on NetWare, all access to data is controlled 
by file system trustees and trustee rights instead of by ownership. When a 
user creates a file or folder, the trustees and trustee rights for accessing 
the file are automatically inherited from the directory where the file is 
created. If you intend different trustees and rights for the file, you must 
assign them explicitly. For instructions, see Section 9.7.2, “Configuring 
Rights (File System Trustees, Trustee Rights, and Inherited Rights Filter),” 
on page 90. 


Changing the ownership of the file or folder does not modify who can 
access it, but it does modify whose username is charged for the space it 
consumes. If you modify the ownership, you must click Apply or OK to 
save the changes. 





Archiver 


The distinguished username (such as username.context) of the user who 
modified the version of the file or folder that was last archived. 
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Property Description 


Modifier The distinguished username (such as username.context) of the user who 
last modified the current version of the file or folder. 





Attributes File attributes determine how the file or folder behaves when accessed by 
any user. Enable or disable an attribute by selecting or deselecting the 
check box next to it. If you modify a setting, click Apply or OK to save the 
changes. 


File attributes apply universally to all users. For example, a file that has a 
read-only attribute is read-only for all users. 


Attributes can be set by any trustee with the Modify right to the directory or 
file, and attributes stay set until they are changed. Attributes do not 
change when you log out or when you down a file server. 


For example, if a trustee with the Modify right enables the Delete Inhibit 
attribute for a file, no one, including the owner of the file or the network 
administrator, can delete the file. However, any trustee with the Modify 

right can disable the Delete Inhibit attribute to allow the file’s deletion. 


The following table defines file system attributes and whether they apply to files, folders, or 
both files and folders. 
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Attribute 


Read Only 


Description 


Prevents a file from being modified. 


Files 


Yes 


Folders 


No 





Archive 


Identifies files and folders that have been modified since 
the last backup. This attribute is assigned automatically. 


Yes 


Yes 





Hidden 


Hides directories and files so they do not appear in a file 
manager or directory listing. 


Yes 


Yes 





Shareable 


Allows more than one user to access the file at the same 
time. This attribute is usually used with Read Only. 


Yes 


No 





Transactional 


Allows a file on an NSS volume or a NetWare Traditional 
volume to be tracked and protected by the Transaction 
Tracking System™ (TTS™) for NetWare. 


For NSS, the TTS attribute for the volume must be enabled 
in order for this setting to be enforced. TTS is not available 
for NSS on Linux. 


Yes 


No 





Purge Immediate 


Flags a directory or file to be erased from the system as 
soon as itis deleted. Purged directories and files cannot be 
recovered. 


Yes 


Yes 





Rename Inhibit 


Prevents the directory or file name from being modified. 


Yes 


Yes 





Delete Inhibit 


Prevents users from deleting a directory or file. 


This attribute overrides the file system trustee Erase right. 
When Delete Inhibit is enabled, no one, including the 
owner and network administrator, can delete the directory 
or file. A trustee with the Modify right must disable this 
attribute to allow the directory or file to be deleted. 


Yes 


Yes 





Copy Inhibit 


Prevents users from copying a file. This attribute works 
only for clients using Macintosh operating systems to 
access NSS volumes on NetWare. 


This attribute overrides the trustee Read right and File 
Scan right. A trustee with the Modify right must disable this 
attribute to allow the file to be copied. 


3 If you modified any settings, click Apply or OK to save your changes. 


Yes 


No 


9.7 Managing File System Trustees in iManager 


NSS uses the Novell Trustee Model for controlling access to user data. As an administrator or a user 
with the Supervisor right or Access Control right, you can use the Files and Folders plug-in to 
iManager to manage file system trustees, trustee rights, inherited rights filters, and attributes for a 
file or folder on an NSS volume. A user who has only the Access Control right cannot modify the 
rights of another user who has the Supervisor right. 


+ Section 9.7.1, “Prerequisites,” on page 90 


+ Section 9.7.2, “Configuring Rights (File System Trustees, Trustee Rights, and Inherited Rights 
Filter),” on page 90 


+ Section 9.7.3, “Viewing Effective Rights for a Trustee,” on page 93 
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9.7.1 Prerequisites 


+ The volume that you want to manage must be in the same tree where you are currently logged 
in to iManager. 


+ You must have trustee rights for the volume, folder, and file that you want to manage. 


+ The volume must be a file system that uses the Novell trustee model for file access, such as an 
NSS volume on OES 2 NetWare or Linux, an NSS or NetWare traditional volume on NetWare® 
6.5, or an NCP™ (NetWare Core Protocol™) volume (an NCP share on Ext3 or Reiser file 
system) on OES 2 Linux. 


9.7.2 Configuring Rights (File System Trustees, Trustee Rights, 
and Inherited Rights Filter) 


File system trustees, trustee rights, and inherited rights filters are used to determine access and usage 
for directories and files on NSS volumes on OES 2 NetWare and Linux, NCP volumes on OES 2 
Linux, and NSS and NetWare Traditional volumes on NetWare 6.5. If you modify any settings, you 
must click Apply or OK to save the changes. 


Viewing, Adding, or Removing File System Trustees 


A trustee is any Novell eDirectory object (such as a User object, Group object, Organizational Role 
object, or other container object) that you grant one or more rights for a directory or file. Trustee 
assignments allow you to set permissions for and monitor user access to data. 
1 In iManager, click Files and Folders, then click Properties to open the Properties page. 
2 On the Properties page, select a volume, folder, or file to manage. 
For instructions, see Section 9.5, “Viewing Properties of a File or Folder,” on page 85. 


3 Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the 
selected volume, folder, or file. 


4 Add trustees. 
4a Scroll down to the Add Trustees field. 
4b Use one of the following methods to add usernames as trustees: 


+ Click the Search icon, browse to locate the usernames of the users, groups, or roles 
that you want to add as trustees, click the name link of the objects to add them to the 
Selected Objects list, then click OK. 


+ Click the History icon to select usernames from a list of users, groups, or roles that 
you recently accessed. 


+ Type the typeless distinguished username (such as username.context) in the Add 
Trustees field, then click the Add (+) icon. 


The usernames appear in the Trustees list, but they are not actually added until you click 
Apply or OK. Each of the usernames has the default Read and File Scan trustee rights 
assigned. 


4c On the Properties page, click Apply to save the changes. 
5 Remove trustees. 


5a Scroll down to locate and select the username of the user, group, or role that you want to 
remove as a trustee. 
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5b Click the Remove (red X) icon next to the username to remove it as a trustee. 


The username disappears from the list, but it is not actually removed until you click Apply 
or OK. 


5c On the Properties page, click Apply to save changes. 


Viewing, Granting, or Revoking File System Trustee Rights 


Administrator users and users with the Supervisor right or the Access Control right can grant or 
revoke file system trustee rights for a volume, folder, or file. Only the administrator user or user with 
the Supervisor right can grant or revoke the Access Control right. 
1 In iManager, click Files and Folders, then click Properties to open the Properties page. 
2 On the Properties page, select a volume, folder, or file to manage. 
For instructions, see Section 9.5, “Viewing Properties of a File or Folder,” on page 85. 


3 Click the Rights tab to view the trustees, trustee rights, and inherited rights filter for the 
selected volume, folder, or file. 


4 Scroll to locate the username of the trustee you want to manage. 


5 In the check boxes next to the trustee name, select or deselect the rights you want to grant or 
revoke for the trustee. 





IMPORTANT: Changes do not take effect until you click OK or Apply. If you click a different 
tab before you save, any changes you have made on this page are lost. 
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Trustee Right Description 


Supervisor (S) Grants the trustee all rights to the directory or file and any subordinate items. 


The Supervisor right cannot be blocked with an inherited rights filter (IRF) and 
cannot be revoked. Users who have this right can also grant other users any 
rights to the directory or file and can change its inherited rights filter. 


Default=Off 





Read (R) Grants the trustee the ability to open and read files, and open, read, and 
execute applications. 











Default=On 

Write (W) Grants the trustee the ability to open and modify (write to) an existing file. 
Default=Off 

Erase (E) Grants the trustee the ability to delete directories and files. 
Default=Off 

Create (C) Grants the trustee the ability to create directories and files and salvage deleted 
files. 
Default=Off 

Modify (M) Grants the trustee the ability to rename directories and files, and change file 


attributes. Does not allow the user to modify the contents of the file. 


Default=Off 





File Scan (F) Grants the trustee the ability to view directory and file names in the file system 
structure, including the directory structure from that file to the root directory. 





Default=On 
Access Control Grants the trustee the ability to add and remove trustees for directories and 
(A) files and modify their trustee assignments and inherited rights filters. 
Default=Off 


6 Click Apply or OK to save changes. 


Configuring the Inherited Rights Filter for a File or Directory 


File system trustee rights assignments made at a given directory level flow down to lower levels 
until they are either changed or masked out. This is referred to as inheritance. The mechanism 
provided for preventing inheritance is called the inherited rights filter. Only those rights allowed by 
the filter are inherited by the child object. The effective rights that are granted to a trustee are a 
combination of explicit rights set on the file or folder and the inherited rights. Inherited rights are 
overridden by rights that are assigned explicitly for the trustee on a given file or folder. 

1 In iManager, click Files and Folders, then click Properties to open the Properties page. 

2 On the Properties page, select a volume, folder, or file to manage. 

For instructions, see Section 9.5, “Viewing Properties of a File or Folder,” on page 85. 


3 Click Information, then scroll down to view the inherited rights filter. 
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The selected rights are allowed to be inherited from parent directories. The deselected rights are 
disallowed to be inherited. 


4 In the Inherited Rights Filter, enable or disable a right to be inherited from its parent directory 
by selecting or deselecting the check box next to it. 


5 Click Apply or OK to save the changes. 


9.7.3 Viewing Effective Rights for a Trustee 


Effective rights are the explicit rights defined for the trustee plus the rights that are inherited from 
the parent directory. The Inherited Rights page shows the inheritance path for a trustee for the 
selected file or folder and the effective rights at each level from the current file or directory to the 
root of the volume. You can use this information to help identify at which directory in the path a 
particular right was filtered, granted, or revoked. 

1 In iManager, click Files and Folders, then click Properties to open the Properties page. 

2 On the Properties page, select a volume, folder, or file to manage. 

For instructions, see Section 9.5, “Viewing Properties of a File or Folder,” on page 85. 


3 On the Properties page, click the Inherited Rights tab to view the effective rights for a given 
trustee. 


By default, the page initially displays the effective rights for the username you used to log in to 
iManager. 


4 On the Inherited Rights page, click the Search icon next to the Trustee field to browse for and 
locate the username of the trustee you want to manage, then select the username by clicking the 
name link. 


The path for the selected file or folder is traced backwards to the root of the volume. At each 
level, you can see the rights that have been granted and inherited to create the effective rights 
for the trustee. 


5 If you make any changes, click Apply or OK to save them. 


9.8 Managing File System Trustees, Trustee 
Rights, and Inherited Rights Filters 


Use the following methods to modify file system trustees for directories and files on NSS or 
NetWare Traditional file systems. 
+ Section 9.8.1, “Using Novell NetStorage,” on page 93 
+ Section 9.8.2, “Using the Novell Client to Manage Trustees and Trustee Rights,” on page 94 
+ Section 9.8.3, “Using the Novell Client to Manage Inherited Rights and Filters,” on page 95 
+ Section 9.8.4, “Using Novell Remote Manager for NetWare (NetWare),” on page 96 


9.8.1 Using Novell NetStorage 


1 Open your Web browser to NetStorage and log in. 
2 Right-click the directory or file you want to manage, then select Properties. 


3 Do one or more of the following: 
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Although the option labels refer to NetWare, use the options for your NSS volumes on Linux or 
NetWare. 


+ Add Trustees: Click the NetWare Rights tab, click the eDirectory Object viewer and 
brows to select the trustee you want to add, then click Plus (+). 


+ Remove Trustees: Click the NetWare Rights tab, select the Trustee check box next to one 
or more trustees you want to remove, then click Remove. 


+ Modify File System Rights: Click the NetWare Rights tab, in the Rights check boxes 
next to the trustee, select or deselect rights for the trustee, then click Apply. 


For information, see Section 8.2, “File-System Trustee Rights,” on page 68. 


+ Modify Inherited Rights Filter: Click the NetWare Rights tab, select or deselect 
Inherited Rights, then click Apply. 


For information, see Section 8.2, “File-System Trustee Rights,” on page 68. 


9.8.2 Using the Novell Client to Manage Trustees and Trustee 
Rights 


Administrators and users can manage file-system trustee rights for network directories and files, 
using the Novell Client on their workstations. 


1 Ina file manager, right-click the network directory or file, then select Trustee Rights. 


N Trustee Rights... 
N Inherited Rights and Filters... 


2 Inthe Trustees area, click the username to display the user's trustee rights. 


Each trustee's rights are shown by a check mark under the letters of the associated rights. If 
there are no trustees listed, access for the selected directory or file is currently governed only by 
its Inherited Rights and Filters. 


If you are viewing the properties of multiple directories or files, the trustees and rights shown 
are the combined trustees and rights for all the files. 


NetWare Rights | 


Trustees: SRWECMFA 








F Combine Multiple Trustee 





Inherited Rights and Filters... Add | 


Read Erase Modify Acc tr 








Effective Rights 
ol 
Write Create File Scan Supervisor 








Cancel | Apply | 
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3 Inthe Effective Rights area, view the actual rights of the selected user. 


Explicit file-system trustee rights override inherited rights. If there are no trustees listed, the 
effective rights are the same as the inherited rights. 


4 (Conditional) If you have the Supervisor right or the Access Control right for the selected 
network directory or file, you can configure trustee rights. 


Do one or more of the following: 


+ Add a Trustee: Click Add, type the fully distinguished name 
(username.context.tree.domain) of the user you want to add, then click OK. 





+ Modify Trustee Rights: Select one or more trustees, select or deselect the check box for 
each trustee right you want to modify, then click Apply. 


+ Delete a Trustee: Select one or more trustees, then click Remove. 


+ Combine Multiple Trustees: This option is available only when viewing the file-system 
trustee rights for multiple directories or files. Additionally, at least one of the selected 
directories or files must have at least one trustee assignment. 


Select one or more trustees from the Trustees list, select Combine Multiple Trustees, then 
click Apply. The trustees’ rights are combined and applied to all selected directories and 
files. All selected trustees become trustees of all selected directories and files. 


5 When you are done, click OK to apply your changes. 


9.8.3 Using the Novell Client to Manage Inherited Rights and 
Filters 


Administrators and users can manage file system inherited rights and filters for network directories 
and files, using the Novell Client on their workstations. For information about filtering inherited 
rights, see Section 8.2.6, “Inherited Trustee Rights,” on page 72. 
1 Use one of the following methods to access the Inherited Rights and Filters dialog box: 
+ Ina file manager, right-click the network directory or file, then select Inherited Rights and 
Filters. 


N Trustee Rights... 
N Inherited Rights and Filters... 
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+ In the file-system trustee rights window, click Inherited Rights and Filters. 










Inherited Rights and Filters 21x} 
Right-click a trustee to view effective rights and properties. 
Novell. 
Trustees Inherited from Selected Item and Parent Directories: SAWECMEA 











FFEFFEFE 


View Trustees Below Directory | Remove Trustee | 
-Uncheck to filter rights inherited from parent directories 
HV Fead MH | Erase MV Modify 
BM write BH M Create 











2 (Conditional) If you have the Supervisor right or the Access Control right for the selected 
network directory or file, you can configure its inherited rights. Do one or more of the 
following: 


+ Modify Trustee Rights: Select the trustee you want to manage from the Trustees 
Inherited from Selected Item and Parent Directories. Select or deselect the check box of 
the file-system trustee right you want to modify, then click Apply. 


Changing the Inherited Rights and Filters does not grant rights; it removes rights 
previously assigned at a higher level in the path. Deselect the right to filter the right for a 
specific trustee or for all trustees of the selected directory or file. 


+ Delete a Trustee: Select the trustee you want to manage from the Trustees Inherited from 
Selected Item and Parent Directories, then click Remove Trustee. 


3 (Conditional) If you selected a directory, click View Trustees Below Directory to view a list of 
trustees for files or directories in the selected directory. 


4 When you are done, click OK. 


9.8.4 Using Novell Remote Manager for NetWare (NetWare) 


Administrators can also use Novell Remote Manager for NetWare to perform these tasks on 
NetWare. 


1 In Novell Remote Manager, click Manage Server > Volumes to open the Volume Management 
page. 

2 Click the Volume link of the volume you want to manage. 

3 Browse to the directory or file you want to manage. 


4 Click the Properties icon to the left of the directory or file you want to manage. 
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fTEST/acatt_home 


[Back to directory listing for: /TEST] 





Directory entry information 
Owner ACATT 


Creation date and time Jun 30, 2004 12:51 pm 
Effective rights SRWCEMFA 

Inherited rights filter  SRWCE_F 

File space limit None 


File space in use Not available 


Trustee information: 

Object name Trustee rights 
„CN=acatt.O=novell.T=TODDSBUILDTREE. SRWCEMFA Delete 
„CN=ddogg.O=novell.TETODDSBUILDTREE. _R F Delete 
.CN=animals,O=novell. T=TODDSBUILDTREE. _RWCEMFA Delete 


Add Trustee | User Name: & Browse 





Salvagable files: None 


Delete Directory and Contents 
Rename Directory New name: |acatt_home 
Create Subdirectory New name: 


5 Do one or more of the following: 


+ Add a Trustee: Type the full distinguished name or bindery name of the User object you 
want to add in the User Name field of the Trustee Information, or browse to the User 
object and select it, then click Add Trustee. 


+ Modify Trustee Rights: Locate the User object name in the list of User objects under the 
Trustee Information, then click the Trustee Rights link next to the username. Select or 
deselect the check box for the trustee right you want to change, then click OK. 


+ Delete a Trustee: Locate the User object name in the list of User objects under the 
Trustee Information, then click the Delete link next to the username. 


+ Modify the Inherited Rights Filter: Click the Inherited Rights Filter link in the 
directory or file information table. Select or deselect the check box for the rights you want 
to modify, then click OK. 


Changing the Inherited Rights Filter does not grant rights; it only removes rights 
previously assigned at a higher level in the tree. 


9.9 Managing File System Attributes for NSS and 
NetWare Traditional Volumes 


Administrators can configure NetWare directory and file attributes using the following methods: 


+ Section 9.9.1, “Using Novell NetStorage,” on page 98 
+ Section 9.9.2, “Using the Novell Client,” on page 98 
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+ Section 9.9.3, “Using Novell Remote Manager (NetWare),” on page 99 
+ Section 9.9.4, “Using the NetWare GUI (NetWare),” on page 100 


For information about NetWare directory and file attributes and how to apply them, see Section 8.6, 
“Directory and File Attributes for NSS Volumes or NetWare Traditional Volumes,” on page 75. 


9.9.1 Using Novell NetStorage 


1 Open your Web browser to NetStorage and log in. 
2 Right-click the directory or file you want to manage, then select Properties. 


3 Click the NetWare Info tab, select or deselect attributes for the selected directory or file, then 
click Apply. 


Although the option label refers to NetWare, use the option for your Linux and NetWare NSS 
volumes. 


Select from the following attributes: 
+ Read only 
+ Archive 
+ Hidden 
+ Shareable 
¢ Transactional 
+ Purge immediate 
+ Rename inhibit 
+ Delete inhibit 
+ Copy inhibit 


For information, see Section 8.6, “Directory and File Attributes for NSS Volumes or NetWare 
Traditional Volumes,” on page 75 


9.9.2 Using the Novell Client 


Administrators and users with trustee rights can specify some file system attributes for directories 
and files, using the Novell® Client™ on their workstations. 


1 Ina file manager, right-click the network directory or file, select Properties, then click NetWare 
Info. 
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AFPYOL.CFG Properties 21x] 
General NetWare Info | NetWare Rights | 


Information about the selected file. 
Novell. 


Selected File: AFPVOL.CFG 


Owner: [Supervisor] 
Name Space: LONG 


Last Archive: Never Archived 


View Version, Copyright and Check Sum Info | 


Attributes: 





T Read-only [I Sharable I Rename Inhibit 
[7 Archive I Transactional J” Delete Inhibit 
T Hidden T Purge Immediate Į Copy Inhibit 








Cancel | 





2 Inthe Attributes area, select the attribute to enable it, then click Apply. 
The attribute change is applied only if all the following conditions are met: 
+ The user has the correct trustee rights necessary to modify the selected attribute. 


¢ The attribute must be a viable attribute for the underlying file system where the file 
resides. For example, some attributes apply only to NetWare Traditional volumes. 


¢ The attribute must be enforceable by NCP or NSS in the current network configuration. 
3 Click OK. 


9.9.3 Using Novell Remote Manager (NetWare) 
1 In Novell Remote Manager for NetWare, click Manage Server > Volumes to open the Volume 
Management page. 
2 Click the Volume link of the volume you want to manage. 
3 Browse to select the directory or file you want to manage. 


4 View the resource’s attributes in the Attributes column. 
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{TEST 


‘A Upload QQ Text Search Inventory @ File Search 





Info Name F| Type Y Size Y Date and time Y Attributes 
Tj » 
HG]  acatt home N/A Jun 30, 2004 12:05 pm Sy ese es 
Icon O Jun 30, 2004 12:03 pm 
VOLDATA.TDF 1,784 Jul9, 2004 3:00 pm 
Volume_Inventory.xml 4,756 _ Jun 30, 2004 1:10 pm 
volume_Trustees, xml 374 Jun 30, 2004 1:10 pm 
4 Files, 


6 KBytes in use. 
180 MBytes available. 


5 To modify the attributes, click the Attributes link. 


FTEST/acatt home 


Folder Attributes Description 
I system If checked, this indictates a system file or folder. 
K If checked, this indictates that this file or folder is excluded 
I” Hidden ; 
from normal directory searches. 
. If checked, this indictates that the file or folder needs to be 
M Archive 


archived, 

If checked, this indictates that when this file or folder or the 
folder contents are deleted and are unrecoverable, 

If checked, this indictates that this file or the contents of the 
folder cannot be compressed.. 

If checked, this indictates that this file or folder cannot be 
migrated to near line storage.. 

If checked, this indictates that this file or folder cannot be 
deleted. 

If checked, this indictates that this file or folder name cannot 
be renamed. 


If checked, this indictates that this file or the folder contents 
will be scheduled for compression.. 


I Immediate Purge 
I” Don't Compress 
I Don't Migrate 

I Delete Inhibit 

I Rename Inhibit 


I Immediate Compress 


ok| Reset | 


6 Select or deselect the check box for the attribute you want to set. 
7 Click OK. 


9.9.4 Using the NetWare GUI (NetWare) 


1 In your NetWare GUI console, browse to the directory or file you want to view or change the 
attributes of. 


2 Right-click the directory or file to open its Properties page. 
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fA File Browser 


fmo Ed] Modified 
{30/79 12:00 AM 
Name: — |_NETWARE | 18704 12:00 AM 
Location: TRAD: 3 

Size: 4 bytes (4 bytes) 

Created: May 18, 2004 12:00:38 AM 

Modified: May 18, 2004 12:00:38 AM 











Attributes: |_| Read-only Archive 


(_| Dont Compress Hidden 


Immediate Compression Rename Inhibit 








LIL BI LI 








Purge Immediate Delete Inhibit 











[oc | [camer | [im | 











3 View the attributes in the Attribute area. 
4 Select or deselect the check box for the attribute you want to set. 
5 Click OK. 


9.10 Trustee Rights Utility for Linux 


The Trustee Rights Utility for Linux allows you to specify trustee rights for directories and files in 
NSS volumes on OES Linux. This utility does not provide support for Trustees on Linux file 
systems. It is also not meant to be used to set trustees for NSS volumes on OES NetWare. The 
trustee information is saved in the file and directory metadata in the NSS volume and works 
seamlessly with OES NetWare if the volume is moved to OES NetWare. 


9.10.1 Purpose 


Use this utility at a workstation to 


+ View or modify user or group rights for files 


+ View or modify user or group rights for directories and volumes 


9.10.2 Syntax 


rights [OPTIONS] 





rights [TOPTIONS] trustee USERNAME 

















rights [DOPTIONS] delete USERNAME 








rights [IOPTIONS] irf 








rights [EROPTIONS] effective USERNAME 

















rights [SOPTIONS] show 
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9.10.3 Actions 


The first argument indicates the action to be taken. 


trustee 
delete 
irf 
effective 


show 


9.10.4 Options 


OPTIONS 


-v, --version 


-h, --help 


TOPTIONS 


-r, --rights=MASK 


-f, --file=filename 
DOPTIONS 
-f, --file=filename 


Add or modify a trustee on a file or directory. 
Remove a trustee from a file or directory. 
Set the inherited rights filter on a directory. 
Display a user's effective rights. 


Display the trustees and inherited rights filter. 


Display the program version information. 


Display the help screen. 


Specify the rights to be given to this trustee. For information, see MASK. 
If the No Rights (n) option is assigned, the trustee is removed. 


If rights are not specified, the default assignment is Read and File Scan 
rights. 


Specify the name of file or directory to assign trustees to. Filename is the 
path for the file or directory. For example: 


-f /users/username/userfile.sxi 





--file=/designs/topsecret 


If a file or directory is not specified, the current directory is used. 


The name of file or directory to delete trustees from. Filename is the path 
for the file or directory. 


If a file or directory is not specified, the current directory is used. 
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IOPTIONS 


-r, --rights=MASK Specify the rights to be passed through the filter. For information, see 
MASK. 


If rights are not specified, the default assignment is All Rights. 


-f, --file=filename Specify the name of the directory where the filter is to be applied. 
Filename is the path for the directory. 


If a directory is not specified, the current directory is used. 


EROPTIONS 


-f, --file=filename The name of file or directory where effective right are to be calculated. 
Filename is the path for the file or directory. 


If a file or directory is not specified, the current directory is used. 


SOPTIONS 

-f, --file=filename Specify the name ofthe file or directory to display a list of its trustees. 
If a file or directory is not specified, the current directory is used. 

USERNAME 


The username is the fully distinguished name of an eDirectory object, including the tree name. For 
example: username .context.treename Or joe.engineer.acme tr 





If you use special characters in a username, you must escape those special characters in the 
command line. For example, the '$' is a special character reserved to the shell and must be escaped. 
For the bash shell, the command could be written in one of two ways on the command line: 


rights -f /media/nss/DATA/stuff -r none \$j\$o\$e.engineer.acme_tree 
rights -f /media/nss/DATA/stuff -r none '$j$o$e.engineer.acme_tree' 


If you are using another shell, the special characters might need a different escape technique. In this 
case, please refer to the shell documentation for this information. 


MASK 


The mask is a string of characters, with each character representing a type of rights. The following 
table lists the rights, the letter to use for each right, and what the right is used for. 


Right Use to 

s (Supervisor) Grant all rights to the file or directory. 
r (Read) Open and read files in the directory. 

w (Write) Open and write to files in the directory. 
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Right Use to 


c (Create) Create files and subdirectories. 

e (Erase) Erase files and directories. 

m (Modify) Rename files and directories, and change file attributes. 

£ (File Scan) View and search on file and directory names in the file system structure. 

a (Access Control) Add and remove trustees and change trustee rights to files and 
directories. 

none (No Rights) Remove all rights. 

all (All Rights) Add All rights except Supervisor. 


9.10.5 Example 





rights -f /designs/topsecret -r rwfc trust joe.engineer.acme tr 


This command assigns Read, Write, File Scan, and Create rights to the /designs/topsecret 
directory for user joe in the engineer context of the acme_tree eDirectory tree. 


9.11 Trustee Rights Utility for NetWare 


The Trustee Rights Utility for NetWare allows you to specify trustee rights for directories and files 
in NSS volumes on OES NetWare. 


9.11.1 Purpose 


Use this utility at a workstation to 


¢ View or modify user or group rights for files 


+ View or modify user or group rights for directories and volumes 


9.11.2 Syntax 





RIGHTS path [[ + | - ] rights] [/option...] [/? | /VER] 
Parameter Use to 
path Specify the path to the file, directory, or volume you want to modify or view 


rights to (you must always specify a path). 


+ | - Add or delete the specified rights. See “Using RIGHTS” on page 105. 

rights Specify one or more file or directory rights. See "File and Directory Rights” 
on page 105. 

/option Replace option with any available option. See "RIGHTS Options” on 
page 105. 

/? View online help. All other parameters are ignored when /? is used. 
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Parameter 


/VER 





RIGHTS Options 


Option 
/C 
/F 
/I 





/NAME=username 


/S 
7T 


Use to 


View the version number of the utility and the list of files it uses to 
execute. All other parameters are ignored when /VER is used. 


Use to 
Scroll continuously through output. 
View the Inherited Rights Filter (IRF). 


View the trustee and group rights that created the inherited rights, and 
view where the inherited rights came from. 


View or modify rights for the user or group listed. Replace username with 
the name of the user or group whose rights you want to view or modify. 


View or modify subdirectories below the current level. 


View trustee assignments in a directory. 


File and Directory Rights 


The following table lists the rights, the letter to use for each right, and what the right is used for. 


Right 
S (Supervisor) 
R (Read) 

w (Write) 

C (Create) 


E (Erase) 





(Modify) 
F (File Scan) 


A (Access Control) 


N (No Rights) 


REM (Remove) 





ALL 


Use to 

Grant all rights to the file or directory. 

Open and read files in the directory. 

Open and write to files in the directory. 

Create files and subdirectories. 

Erase files and directories. 

Rename files and directories, and change file attributes. 

View and search on file and directory names in the file system structure. 


Add and remove trustees and change trustee rights to files and 
directories. 


Remove all rights. 
Remove the user or group as a trustee of the specified file or directory. 


Add All rights except Supervisor. 


9.11.3 Using RIGHTS 


+ Ifyou use + (plus) to add rights, the rights you list are added to the existing rights. 


+ Ifyou use - (minus) to remove rights, the rights you list are deleted from the existing rights. 
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+ Ifyou add and delete rights in the same command, group all added rights together and all 
deleted rights together. 


+ Ifyou list rights without using + or -, the rights you list replace the existing rights. 
+ You must always specify a path. You can use a period (.) to represent your current directory. 


+ You can use wildcard characters. 


9.11.4 Examples 





+ To set the trustee rights in the current directory for user JANICE to Read, Write, and File Scan, 
enter 





RIGHTS . RWF /NAME=JANICE 

















+ To remove user ERNESTO as a trustee of SYS : USERS, enter 

















RIGHTS SYS:USERS REM /NAME=ERNESTO 




















+ To see where user PATRICK'S inherited rights came from for SYS: USERSNHOME, type 




















RIGHTS SYS:USERSNHOME /NAME=PATRICK /I 


9.12 Attributes Utility for Linux 


The Attributes (ATTRIB) Utility for Linux allows you to specify file system attributes for 
directories and files in NSS volumes on OES Linux. 











IMPORTANT: This utility works only with directories and files in the NSS file system on Linux. 





9.12.1 Purpose 


Use at a workstation to 


+ View or modify file system attributes for files 


+ View or modify file system attributes for directories 


9.12.2 Syntax 


attrib [OPTIONS] [filename] 


If both the set and clear options are selected, the clear option is done before the set option. If the 
filename is not specified, the operation is done on the current directory. 


9.12.3 Options 





OPTIONS 

Option Description 

-s, --set=ATTRIBUTES Sets the attributes on the file 
-c, --clear=[ATTRIBUTES | all] Clears the attributes on the file 
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Option Description 


-1, --long Displays a long version of the file’s attributes 
-q, --quiet Does not display any normal output 

-v, -—-version Displays the program version information 
-h, --help Displays the ATTRIB help screen 
ATTRIBUTES 


Multiple attributes are comma separated. 


Code 


aa 


all 


ar 


cc 


ci 


cm 


dc 


di 


ex 


hi 


ic 


Applies to 


Description Files 


Attribute Archive identifies that a file’s metadata has been modified Yes 
since the last backup. This attribute is assigned automatically. 


All (used only for the Clear option) represents all attributes that Yes 
can be modified. 


Archive identifies files that have modified content since the last Yes 
backup. This attribute is assigned automatically. 


Cannot compress (status display only) displays if the file cannotbe Yes 
compressed because of limited space savings. 


Copy Inhibit prevents users from copying a file. This attribute Yes 
overrides the trustee Read right and File Scan right. This attribute 
works only for clients using Macintosh operating systems. 


Compressed (status display only) displays whether the file is Yes 
currently stored in compressed format. 


Do Not Compress keeps data from being compressed. This Yes 
attribute overrides settings for automatic compression of files not 
accessed within a specified number of days. 


Delete Inhibit prevents users from deleting a directory or file. Yes 


This attribute overrides the trustee Erase right. When it is enabled, 
no one, including the owner and network administrator, can delete 
the directory or file. A trustee with the Modify right must disable 
this right to allow the directory or file to be deleted. 


Execute indicates program files such as .exe or . com. Yes 


Hidden hides directories and files so they do not appear in a file Yes 
manager or directory listing. 


Immediate Compress sets data to be compressed as soon as a file Yes 
is closed. If applied to a directory, every file in the directory is 
compressed as each file is closed. 


The files in the specified directory are compressed as soon as the 
operating system can perform the operation after the file is closed. 
This does not apply to the directory’s subdirectories and the files in 
them. 


Applies to 


Directories 


No 


Yes 


No 


No 


No 


No 


No 


Yes 


No 


Yes 


Yes 
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Code 


ip 


in 


mg 


mi 


Fl. 


ro 


sd 


sh 


Sy 


tr 


VO 


Description 


Immediate Purge flags a directory or file to be erased from the 
system as soon as it is deleted. Purged directories and files 
cannot be recovered. 


Link (status display only) indicates a symbolic link (soft link). 


Migrated (status display only) displays if the file or directory is 
migrated to near-line media. 


Migrate Inhibit prevents directories and files from being migrated 
from the server’s disk to a near-line storage medium. 


Rename Inhibit prevents the directory or file name from being 
modified. 


Read Only prevents a file from being modified. 


Subdirectory (status display only) indicates that the entry is a 
directory, not a file. 


Sharable allows more than one user to access the file at the same 
time. This attribute is usually used with Read Only. 


System hides the directory or file so it does not appear in a file 
manager or directory listing. System is normally used with 
operating system files, such as Linux or NetWare system files. 


Transactional allows a file to be tracked and protected by the 
Transaction Tracking System™ (TTS™). This option works only on 
NetWare. 


Volatile indicates that a file can change without being written to so 
that opportunistic locks cannot be set on it. 


9.12.4 Example 





attrib /designs/topsecret -c=all -s=ro,di 


Applies to 
Files 


Yes 


Yes 


Yes 


Yes 


Yes 


Yes 


No 


Yes 


Yes 


Yes 


Yes 


Applies to 
Directories 


Yes 


No 


Yes 


Yes 


Yes 


No 


Yes 


No 


Yes 


No 


No 


This command clears all attributes, then sets read-only and delete-inhibit on the /designs/ 
topsecret file. 


9.13 FLAG (NetWare) 


For NetWare, you can use the FLAG utility to set directory and file attributes from the command line. 
For information, see “FLAG (NetWare)” in the NW 6.5 SP8: NSS File System Administration Guide. 
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Understanding Directory 
Structures in Linux POSIX File 
Systems 


This section discusses directory structures for Linux POSIX file systems on your Novell® Open 
Enterprise Server 2 Linux server. 

+ Section 10.1, “Linux Filesystem Hierarchy,” on page 109 

+ Section 10.2, “Default Directories,” on page 109 

¢ Section 10.3, “Linux File Types,” on page 110 

¢ Section 10.4, “POSIX Access Control Lists,” on page 110 
For information about OES Linux file systems, see the SUSE Linux Enterprise Server 10 


Installation and Administration Guide (http://www.novell.com/documentation/sles10/sles_admin/ 
data/sles_admin.html). 


10.1 Linux Filesystem Hierarchy 


Linux recommends a standard file and directory placement. For information, see the Linux 
Filesystem Hierarchy (http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/index.html) at 
the Linux Documentation Project (http://www.tldp.org). 





IMPORTANT: Refer to individual product documentation to understand where Novell applications 
store files within this hierarchy. 





10.2 Default Directories 


In Linux, all directories are attached to the root directory, which is identified by a forward slash (/). 
Directories that are only one level below the root directory are preceded by a slash, to indicate their 
position and prevent confusion with other directories that could have the same name. For example, 
the table below lists some common second-level directories: 


Linux Directory Description 

/bin System binaries, user programs with normal user permissions 
/sbin Executables that need root permission 

/data A user-defined directory 

/dev System device tree 

/etc System configuration 

/home Users' home directories 

/home/username A user's personal home directory 
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Linux Directory Description 


/tmp System temporary files 

/usr Applications software 

/usr/bin Executable files for programs with user permission 
/var System variables 

/lib Libraries needed for installed programs to run 


Every device and hard disk partition is represented in the Linux file system as a subdirectory of the 
root directory. For example, the floppy disk drive in Linux might be /etc/floppy. The root directory 
lives in the root partition, but other directories (and the devices they represent) can reside anywhere. 
Removable devices and hard disk partitions other than the root are mounted (attached) to 
subdirectories in the directory tree. This is done either at system initialization or in response to a 
mount command. 


NOTE: There are no standards in Linux for which subdirectories are used for which devices. 





All the file systems use directories and subdirectories. NetWare® separates directories with a 
backslash, and Linux uses a forward slash. NetWare filenames are case insensitive. Linux file names 
are case sensitive. For example “abc” and “aBc” are different files in Linux, but in NetWare, they 
refer to the same file. 


10.3 Linux File Types 


As with most file systems, Linux supports a variety of file types, as described in the following table: 


First Character 


File Type in File Listing Description 

Regular file - Normal files such as text, data, or executable files 

Directory d Files that are lists of other files 

Link l A shortcut that points to the location of the actual file 

Special file c Mechanism used for input and output, such as files in /dev 

Socket s A special file that provides inter-process networking protected by the 
file system’s access control 

Pipe p A special file that allows processes to communicate with each other 


without using network socket semantics 


10.4 POSIX Access Control Lists 


For information, see “Access Control Lists” (http://www.novell.com/documentation/sles10/ 
sles_admin/data/cha_acls.html) in the SUSE Linux Enterprise Server 10 Installation and 
Administration Guide (http://www.novell.com/documentation/sles10/sles_admin/data/ 
sles_admin.html). 
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Documentation Updates 


This section contains information about documentation content changes made to the File Systems 
Management Guide since the initial release of NetWare® 6.5 SP7. If you are an existing user, review 
the change entries to readily identify modified content. If you are a new user, simply read the guide 
in its current state. 


This document was updated on the following dates: 


+ Section A.1, “November 9, 2009,” on page 111 
+ Section A.2, “December 2008 (NetWare 6.5 SP8),” on page 111 
¢ Section A.3, “January 4, 2008,” on page 112 


A.1 November 9, 2009 


This guide has been modified for publication on the NetWare 6.5 SP8 Documentation Web site. 


A.2 December 2008 (NetWare 6.5 SP8) 


Updates were made to address new documentation standards. In addition, updates were made to the 
following sections. The changes are explained below. 
+ Section A.2.1, “Coexistence and Migration Issues,” on page 111 


+ Section A.2.2, “Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and 
Attributes,” on page 112 


+ Section A.2.3, “Managing Folders and Files on NSS and NetWare Traditional Volumes,” on 
page 112 
¢ Section A.2.4, “Understanding File System Access Control Using Trustees,” on page 112 


A.2.1 Coexistence and Migration Issues 


Location Change 





“Core Linux Utilities” on 


page 21 IMPORTANT: To enable users of NSS volumes and NCP volumes to use the 


core Linux utilities, you must PAM-enable the utility with Linux User 
Management (LUM) and Linux-enable the users with LUM. 
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A.2.2 Configuring File System Trustees, Trustee Rights, 
Inherited Rights Filters, and Attributes 


Location Change 


Section 9.12, “Attributes The Copy Inhibit attribute works only for Macintosh clients to access NSS 
Utility for Linux,” on volumes on NetWare. 
page 106 


A.2.3 Managing Folders and Files on NSS and NetWare 
Traditional Volumes 


Location Change 


Section 7.2, “Deleting a A folder must be empty before it can be deleted. 
File or Folder on an NSS 
Volume,” on page 48 


A.2.4 Understanding File System Access Control Using 
Trustees 


Location Change 


Section 8.6, “Directory Read only prevents a file from being modified. 
and File Attributes for 

NSS Volumes or 

NetWare Traditional 

Volumes,” on page 75 


A.3 January 4, 2008 


Updates were made to the following sections. The changes are explained below. 


+ Section A.3.1, “What’s New for File System Management and Access,” on page 112 


+ Section A.3.2, “Management Tools for Files and Folders Management,” on page 113 


A.3.1 What's New for File System Management and Access 


Location Change 


Section 2.2.1, “Files and Directory quotas management is available only for NSS volumes where the 
Folders Plug-In to Novell volume’s Directory Quotas attribute is enabled. 


iManager 2.7,” on 
page 16 Salvage and purge of deleted files and directories is available only for NSS 


volumes where the volume’s Salvage attribute is enabled. 
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A.3.2 Management Tools for Files and Folders Management 


Location Change 
“Deleted Files” on Salvage and purge of deleted files and directories is available only for NSS 
page 26 volumes where the volume’s Salvage attribute is enabled. 


“Properties” on page 26 Directory quotas management is available only for NSS volumes where the 
volume’s Directory Quotas attribute is enabled. 
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